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Abstract 

The semantics of the Prolog "cut" construct is explored in the context of some desirable 
properties of logic programming systems, referred to as the witness properties. The witness 
properties concern the operational consistency of responses to queries. A generalization of 
Prolog with negation as failure and cut is described, and shown not to have the witness 
properties. A restriction of the system is then described, which preserves the choice and 
first-solution behaviour of cut but allows the system to have the witness properties. 

The notion of cut in the restricted system is more restricted than the Prolog hard cut, 
but retains the useful first-solution behaviour of hard cut, not retained by other proposed 
cuts such as the "soft cut" . It is argued that the restricted system achieves a good compro- 
mise between the power and utility of the Prolog cut and the need for internal consistency 
in logic programming systems. The restricted system is given an abstract semantics, which 
depends on the witness properties; this semantics suggests that the restricted system has 
a deeper connection to logic than simply permitting some computations which are logical. 

Parts of this paper appeared previously in a diffe rent form in th e Proceedings of the 



1995 International Logic Programming Symposium (Andrews, 1995) 



1 Introduction 

Since the first widely-used Prolog implementations of the early 1980s, Prolog pro- 
grammers have had access to some powerful constructs for controlling the backtrack- 
ing behaviour of their programs. The best-known of these is the "cut" , written "!" , 
which appears as a literal in the sequence of literals in a clause body. Cut allows 
programmers to direct the flow of control in a program by cutting away backtrack 
points which lead to unwanted execution paths. 

Programmers have embraced cut enthusiastically. Most large Prolog programs 
now in use contain cuts, or related constructs such as the if-then-else construct {A 
-> B ; C). Cut is used mainly for choosing between clauses. However, it has other 
important uses, such as for obtaining the first solution to a subgoal and discarding 
others. 

Unfortunately, the unrestricted use of cuts produces a program which has no 
direct logical interpretation. A cut does not even have an effect restricted to the 
clause in which it appears; rather, it may affect all the clauses of the predicate 
which its clause is defining. It is therefore difficult to give a semantics to a program 
which uses cut, other than an operational semantics. 
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It seems therefore that the use of cut, and the constructs related to it, must be 
restricted in order to regain a logical interpretation for Prolog programs. Various 
approaches to this have been proposed, including the "soft cut" and the mode and 
determinism restrictions of the Mercury system ( ^omogyi ct al., 1996 ). However, 
neither soft cut nor Mercury allow the behaviour of cut which allows us to choose 
the first solution to a subgoal and discard other solutions. This is a fundamental 
property often used by Prolog programmers, so it would be preferable to preserve 
it. 

Like most logic programming researchers, we believe that Prolog's "hard cut" 
cannot be salvaged from a logical point of view. However, we do not believe it 
is necessary to retreat all the way to soft cut. In this paper, we show how the 
hard cut of Prolog can be restricted to produce a cut, referred to as "firm cut", 
which has important advantages over both soft and hard cut. Firm cut allows useful 
behaviours such as first-solution which are disallowed by soft cut. Modulo a run- 
time or compile-time mode restriction, firm cut is operationally identical to the 
more widely-used hard cut, which soft cut is not. However, firm cut disallows the 
most non-logical and anti-intuitive behaviours of hard cut, and while (like hard cut) 
it has no purely logical interpretation, it still satisfies some important consistency 
properties which hard cut does not. 

We refer to the consistency properties which firm cut satisfies as the "witness 
properties" . Because it satisfies these properties, firm cut and the systems incorpo- 
rating it can be given abstract semantics based on compositional valuation func- 
tions (functions from goals to truth values) . We demonstrate this by giving such an 
abstract semantics for the system with firm cut. 

Along the way, we also introduce a form of formula, the if formula, which al- 
lows a Prolog program with cuts to be given a "completed form" analogous to the 
Clark completion of a definite clause program. This form of program may have 
applications even when dealing with other forms of cut. 



1.1 The Witness Properties 

One of the central properties we like to prove about logic programming systems 
is the equivalence between the operational and logical semantics. The well-known 
equivalence of SLD-resolution and the least model semantics is the most obvi- 
ous example. Such properties show that the logic programming system in question 
achieves some standard of expected behaviour. 

But what if the logic programming system has no logical semantics? Is there any 
standard to which such a system can be held, any middle ground between a system 
with a full logical semantics and a system indistinguishable from imperative or 
functional programming systems? We believe that there is, and suggest the witness 
properties as a possible standard. 

The witness properties are as follows: 

1. (Success property) If a goal formula G succeeds (returns an answer substitu- 
tion), then some ground instance of G succeeds. 
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2. (Failure property) If a goal formula G fails (terminates without returning an 
answer substitution), then all ground instances of G fail. 

The witness properties accord with our intuitions about the internal consistency 
of logic programming systems, and about the nature of formulas and the search 
for satisfying substitutions for them. They therefore provide a possible standard to 
which to hold logic programming systems. Their name comes from the notion of 
witness for an existentially-quantified formula: the formula 3x G is true if there is 
a witness term t such that G[x := t\ is true, and false otherwise. A goal formula 
such as p{x) can be read as asking whether 3xp{x) is true. 

In the success property, we insist on ground instances in particular, partly because 
otherwise it would always be vacuously true: G is an instance of G, so if G succeeds, 
some instance of it succeeds. We express the failure property in terms of ground 
terms as well for symmetry. Another reason for using ground terms in the statement 
of the properties is that it allows the success and failure of goals with free variables to 
be characterized in terms of the simpler notion of success and failure of ground goals. 
Many variants of these properties are possible and may be valuable for different 
applications. 

Note that the converses of the witness properties are not necessarily enjoyed by 
logic programming systems. The converse of the success property (if an instance of 
G succeeds, then G succeeds) is not enjoyed by any deterministic definite clause 
resolution system (like Prolog) using a search rule which selects clauses in order, as 
the following example shows: 

p(0) :- p(0)- 
p(l). 

The goal p{y) diverges even though its instance p{l) succeeds. The converse of the 
failure property (if all ground instances of G fail, then G fails) is not enjoyed by 
any deterministic definite clause resolution system, regardless of search or selection 
rule, as the following example (based on that of Clark, Andreka and Nemeti) shows: 

The goal p{y) diverges even though every ground instance of it fails. 

The witness properties also have theoretical significance. Generally, we may con- 
sider a logic programming system to be unsatisfying from a logical point of view 
if it can be given only operational semantics, as this leads us to siispect that the 
operational model is a "hack" which is only logical in the sense that it permits 
some computations which can be viewed as logical. Of course, every operational 
semantics for an LP language can be converted to a denotational semantics if oper- 
ational notions such as unification and substitution sequence are suitably "reified" 
(i.e., represented explicitly by mathematical constructs). However, these semantics 
should not necessarily boost our confidence that the operational model is logical, 
any more than the operational semantics did. The existence of semantics which do 
not reify operational notions suggests that we are dealing with a system which has 
a deeper connection to logic than simply permitting logical computations. Evidence 
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from past research and the present paper indicates that the witness properties lead 
to such semantics. 



1.2 This Paper 

In this paper, we show how the hard cut of Prolog, as restricted to "firm cut" , 
retains the witness properties and can be given an abstract, non-reifying semantics. 
We believe that the resulting system is the best compromise yet found between the 
power and utility of the Prolog cut and the need for internal consistency in logic 
programming systems. 

In section 2, we review background and related work in more detail. In section 
3, we present the notation and syntax we will use for logic programs with cut 
and a new construct, ij. In section 4, we present a first operational semantics for 
the extended programs. This operational semantics corresponds to Prolog, with 
its permissive, non-logical view of negation and cut; thus it is referred to as the 
"liberal" semantics. In section 4, we also show that the if construct allows us to 
derive a convenient "completed form" for every program, in which each predicate 
is defined by exactly one clause. 

In section 5, we restrict the liberal operational semantics, and show that the 
restricted system has the witness properties. The new, restricted system is referred 
to as the "conservative" semantics, and firm cut is defined as the cut associated 
with it. In section 6, we define a non-reifying abstract semantics for the system 
with firm cut, using the witness properties to prove soundness and completeness 
of the conservative semantics. Finally, in Section 7 we give some conclusions and 
suggestions for further research. 



2 Background and Related Work 

In this section, we introduce the background of this research and the other research 
related to it. We have grouped this material into three sections: one concerning the 
cut and other choice constructs like the if-then-else, one concerning the semantics 
of depth-first Prolog and cut, and one concerning the various different notions of 
termination of a logic program. 



2.1 Cut and Other Choice Constructs 

Cut was introduced in the DECsystem-10/20 Prolog of 1982, written by David 
Warren, Fernando Pereira, Lawrence Byrd and Luis Pereira. It was recognized even 
at the time as a "meta-theoretic" control construct, which could at best be read 
as making meta-level manipulations of the search tree. Cut was taken into the C- 



Prolog interpreter ( Pereira et al, n.d. ), which became a very widely distributed 
early version of the language. 

Cut operates by cutting away previously-encountered alternatives. Consider the 
following program: 
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p{a, y)- 

P{b,y) :- q{y),\,r{y)- 

p{x,y)- 

lie)- 
q{d)- 
r{dy 

(.T and y arc variables, and a-e arc constants.) With respect to this program, calls 
to the predicate p exhibit the following behaviour. 

• Goals of the form p{a,t) succeed for any term t. 

• Goals of the form p{b,t) succeed only if < is d, or if i is not unifiable with 
either c or d; otherwise they fail. For instance: 

— The goal p{b, y) fails, because y is unified with c by the first clause for q, 
the last clauses for p and q are cut away, and r(c) fails. 

— The goal d) succeeds because q{d) succeeds, only the last clause for 
p is cut away, and r{d) succeeds. 

— The goal p(6, h) succeeds because q{h) fails entirely, and so the third clause 
for p is used. 

• Finally, goals of the form p{s, t), where s is anything other than a and b, 
succeed. 

Cut therefore cuts away not only the later clauses of the same predicate, but also 
the alternative clauses for subgoals that appear earlier in the clause. The former 
behaviour allows us to select clauses, but the latter behaviour allows us to choose 
the first solution to a subgoal (by stating the subgoal and following it by a cut). This 
may be used for various reasons: to discard solutions that we, the programmers, 
know to be equivalent to the first; to prevent backtracking because we know there 
will be no more successes; or simply to select the first solution because we know 
that is the one we are interested in (for instance, "pnme(a;), x > 100, !" for the first 
prime greater than 100). 

We can see immediately that Prolog with the form of cut described above does 
not have the failure witness property, since p{b,y) fails but p{b, d) succeeds. (Ex- 
amples can be constructed violating the success witness property as well.) The most 
common way to fix this problem with cut is to allow backtracking into the portion 
before the cut - that is, to cut away later clauses to the current clause but not 
alternative clauses to subgoals before the cut. This is generally referred to as the 
"soft cut" , and the more usual cut is referred to as the "hard cut" in order to dis- 
tinguish it. With soft cut, we can regain a logical interpretation: if ! in the above 
program is interpreted as soft cut, then the second and third clauses are equivalent 
to the classical formulas 

p{b,y) ^ q{y)kr{y)- 

P{x, y) {-^{x = 6) V (a; = bk^q{y)))- 

However, we lose the ability to select the first solution with soft cut. 
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A construct related to cut is the "if-then-else" construct, usually written (Gi -> 
G2] Gz) and read "if Gi then G2 else G3". This construct is often syntactic sugar 
for a hard-cut-likc operation; that is, the evaluation of {Gi -> G2', G3) is equivalent 
to the evaluation of a goal p{xi, . . . , a;„) against the program 

p{xi, ...,Xn) :- Gi, !, G2 
p{xi,...,Xn) ■■- G3 



where X\ ^ ■ • ■ ^ "^71 Sirs the free variables in Gi, G2, G3. 

The cut in the if-then-else construct is hard cut in most Prologs. The choice 
construct of the Mercury language ( Somogyi et al, 1996| ) is written in this way and 
uses soft cut; Mercury has no other choice construct. 



2.2 Semantics of Prolog and Cut 



The least- model semantics ( van Emden fc Kowalski, 1976 ) is traditionally viewed 
as the standard one for pure logic programming as it was originally conceived. 
However, the depth-first search of Prolog and similar systems makes it difficult to 
fit them into the least-model framework, at least if we want a semantics with respect 
to which the system is sound and complete. Evidently some other form of semantics 
is needed to characterize depth-first logic programming systems precisely, whether 
taking cut into consideration or not. 

The operational semantics of Prolog with cut was not formally defined in a self- 
contained system until Billaud's 1990 paper ( Billaud, 19901 ). In Billaud's semantics, 
when a predicate is called, the current backtrack stack is stored; the execution of 
a cut corresponds to discarding the current backtrack stack and replacing it with 
the one stored by the current predicate. 



Various authors have given denotational semantics for Prolog with cut ( ic Bruin 



|fc de Vink, 1989 ; Borger, 199C ; Baudinct, 1992 ) , including Billaud in his original 
paper (iBiUaud, 1990|r Some of these approaches have proven equivalence with an 
operational semantics. These papers were based on earlier work in operational and 



denotational semantics of Prolog, including (Jones fc Mycroft, 1984; Deransart 



Fcrrand, 1987|; |Arbab fc Berry, 1987| ; [Pebray fc Mishra, 1988 



Nicholson & Poo 



1989| ). 

The denotational approaches essentially view a Prolog program as a function 
from goals to sequences of answer substitutions, and "reify" notions like unifica- 
tion and answer substitution sequence by giving abstract mathematical constructs 
corresponding to them. Such approaches are able to handle any operational model 
which transforms a goal into a sequence of substitutions using unification. This 
includes models with any conceivable sound or unsound strategy for negation and 
cut; for instance, sound soft cut, unsound negation as failure, or a negation operator 
which judges ~'p{t) to be true iff t unifies with 42. Therefore, although a reifying 
semantics may be very useful for some purposes (for instance, to use as a guide 
for implementation of a standard computational model), the existence of such a 
semantics does not by itself suggest that the system thus characterized is any more 
than an operational superset (or superset of a subset) of pure logic programming. 
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In contrast, what may be called the "non-reifying" semantic tradition ( [Andrews 



1991; Andrews, 1997; Stark, 19*9^ ; Elbl, 199E) gives characterizations of the success 



and failure of Prolog goals not involving reified answer substitutions and unification. 
Andrews' earliest characterizations (Andrews, 1991) took account only of depth- 
first Prolog without builtins, negation or cut. Andrews (Andrews, 1997) and Stark 
( ^tark, 1998 ) then extended this to systems with negation as failure, Andrews by 
characterizing floundering and Stark by imposing a mode restriction. More recently, 
Elbl ( Elbl, 1999 ) has given a semantics for depth-first logic programming which uses 
more abstract denotations to achieve compositionality, and extends this semantics 
to take account of negation with a similar mode restriction to Stark's. 

These more logical approaches draw their power from expressing the semantics of 
Prolog in a manner which allows them to avoid encoding operational notions such 
as unification into the semantics. Without such a property, proofs using Stark's 
proof assistant (Stark, 1998), for instance, would have to reason about unification 
at almost every step. 

We should note that even reifying semantics can act as the basis of powerful 
theorem provers if they are automated. For example, Lindenstrauss, Sagiv and 
Serebrenik ( Lindenstrauss fc Sagiv, 1997 ; Lindenstrauss et al, 1997 ) discuss auto- 
matic proofs of strong termination based on term rewriting techniques. However, 
in proving termination and (especially) correctness properties, it is often necessary 
to have human intervention, in order to deduce generalizations to be proven by 
induction or norms for proving termination. 



2. 3 Termination 

We seek an abstract semantics with respect to which some large subset of Prolog 
with cut is sound and complete. The soundness property allows us to argue that 
any outcome which a Prolog goal does return is consistent with the semantics. The 
completeness property, however, allows us to argue that the semantics does not 
judge a goal to be true (resp. false) unless it actually succeeds (resp. fails) according 
to the operational semantics; that is, that we have precisely captured termination 
of goals. We must therefore define exactly what we mean by termination of a goal. 
In this paper, we study left-to-right termination, which subsumes the more widely- 
studied notion of strong termination. 

A Prolog query can have one of several outcomes. It can succeed or fail, or it can 
diverge (fail to terminate altogether). If a query succeeds, Prolog typically gives us 
the option of finding more solutions. If we keep asking for more solutions, there are 
three things that may happen: the query may eventually fail back to the top level 
and report no more solutions; the query may return a finite number of solutions 
and then diverge; or the query may return an infinite number of solutions. We may 
label these outcomes as: 

1. Success: 

(a) Finite number of solutions, then failure. 

(b) Finite number of solutions, then divergence. 
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(c) Infinite number of solutions. 

2. Failure. 

3. Divergence. 

These outcomes correspond to the shape of the resolution search tree for systems 
with a left-to-right subgoal selection rule, and the placement of solutions within 
that tree. (In the following, we assume that the leftmost subgoal is always selected, 
that the children of each node of the search tree correspond, left to right, to the 
sequence of clauses defining the selected subgoal's predicate, and that the search 
rule is also left-to-right.) If the tree is finite, we get outcome 1(a) or 2. If it has some 
infinite path, and there is a finite number of solutions to the left of the leftmost 
infinite path, we get outcome 1(b) or 3. Otherwise, there is an infinite number of 
solutions to the left of the leftmost infinite path (outcome 1(c)), and we can obtain 
only a finite prefix of the sequence of solutions by backtracking. 

The two kinds of termination most often mentioned in the literature are existen- 
tial termination and universal termination. A query existentially terminates either 
if it fails, or if there is a solution somewhere in the search tree. Knowing that a 
query existentially terminates is thus useful primarily if we are studying breadth- 
first implementations or nondeterministic operational semantics. A query univer- 
sally terminates if the search tree is finite (i.e., a search on any path terminates). 
Universal termination therefore corresponds only to cases 1(a) and 2 above. 



Most of the work on proving termination of Prolog programs (e.g., (Pliimer, 1990 



Apt fc Pedreschi, 1993| ; [Bezeni, 1993| [Apt fc Marchiori, 1994| ; ^tark, 1998D ) has con^ 



centrated on universal termination. Because of our interest in features of practical 
logic programming systems such as Prolog, in this paper we continue to study what 
we refer to as depth-first termination. A query depth-first terminates if it returns at 
least one solution, or if it fails. Depth-first termination thus encompasses outcomes 
l(a)-(c) and 2 above, and thus identifies a larger set of queries as terminating than 
universal termination. It also corresponds to one of a Prolog user's intuitive notions 
of termination of a goal. 

Depth-first termination is what we will have to characterize if we want to take 
account of the behaviour of cut. Cut cuts away all but the first solution returned 
from the portion of the clause before the cut, so all that is important to the seman- 
tics is that the portion before the cut returns at least one solution or fails. Note, 
however, that even in the absence of cut, a goal formula G universally terminates 
iff the query (GSzfalse) (in Prolog parlance, (G, fail)) depth-first terminates. 
Depth-first termination is thus strictly more general than universal termination. 



3 Notation and Syntaix of Extended Programs 

In this section, we define the syntax of programs that we will use for the rest of the 
paper. It is a generalization of the subset of Prolog including cut (!), negation as 
failure, and defined predicates. It does not include problematic built-in predicates 
such as assert and retract, var, nonvar, and setof , each of which merits further 
study but whose inclusion might confuse the issues we study here. 
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We use the following meta- variables: B, C, F, G and H for formulas, s and t for 
terms, and x, y and z for variables, all possibly primed or subscripted. We use x, t, 
etc. generally to stand for sequences of variables, terms, etc. We use 3x as notation 
to stand for 3xi . . . 3xn, where x = (xi, . . . , a;„). 

We define an extended notion of goal formula (or simply formula) , representing a 
query or an element of a clause body. The BNF definition of a formula is as follows. 

G ::= {t = t)\p{t,...,t)\GS£G\G\/ G 
I ^G\3xG\tf[x]iG,G) 
All the connectives are standard except the if connective. if[x]{B, C) is a variable 
binding construct, which binds all the variables in the list x. if[x]{B, C) is computed 
as follows: if 3x{B) is false, so is if[x\{B, C); otherwise, if[x]{B, G) is equivalent to 
GO, where 9 is the first substitution for x returned by the computation of B . This 
form of formula allows us to express a Prolog program with cuts in a "completed" 



form (see section 4.3) 



body 
hodyelt 



We assume a standard syntax of terms. We assume that the language of the 
program contains at least two terms, which we will refer to as and 1. We define 
the formula true as = 0, and the formula false as = 1. 

Because we will be speaking of clauses with cut, we cannot use the standard logic- 
programming definition of clause. The BNF definitions of formula, clause, clause 
body, and clause body clement used in this paper are as follows. 

clause ::= p{t,...,t) :- body 
:= e I hodyelt, body 
:= G\\ 

(e is the empty expression.) As in Prolog, we generally write a clause of the form 
p{ti, . . . ,tn) : - e as simply p{ti, . . . , t„). Note that we restrict the cut to occurring 
"at the top level" in clauses. In most Prologs it is possible to use cut within a 
complex formula (for instance, a disjunction), but such cuts are seldom used and 
their effect is generally said to be undefined^]. 

A program is a sequence of clauses. It is clear that the syntax of programs, as 
defined here, generalizes the syntax of Prolog programs with only literals and cuts 
as body elements. For simplicity, we assume that each predicate is defined with a 
distinct arity in a given program; that is, that at every occurrence of a predicate 
name, it is given the same number of parameters. We say that a clause defines 
predicate p if the head of the clause has predicate p. We use clauses{p, P) to stand 
for the sequence of clauses defining predicate p in program P . 

As an example of a program in the extended syntax, consider the following stan- 
dard definition of a "delete" predicate: 

d{x,U]) 

d{x,[x\ys], zs) :- \,d{x,ys,zs) 
d{x,[y\ys],[y\zs]) :- d{x,ys,zs) 



^ Billaud's operational semantics of cut { Billaud, 1990 ) defines a behaviour of cuts within complex 
formulas which is consistent with the operational semantics of some Prolog interpreters. 
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The goal d{x, y, z) deletes all occurences of the element x in the list y, resulting in 
the list z. As we will see, the following definition is equivalent: 

d{x,y,z) :- 
{y^[]kz = []) 

V if[ys]{y = [x\ys], d{x, ys, z)) 

V (-3j/s(y = [x\ys])k 

3y'3ys3zs{y = [y'\ys]kz = [y'\zs]kd{x, ys, zs))) 



4 The Liberal Operational Semantics 

In order to define precisely the logic programming systems which will be the focus 
of our study, we must define precisely their operational, or procedural, semantics. 
In this section, we define two operational semantics (the second simpler than the 
first) for the extended logic programs defined in the last section. Because they share 
Prolog's rather lax, non- logical interpretation of negation and cut, they are referred 
to as "liberal" operational semantics. The second of these semantics will be used as 
the basis of the more "conservative" semantics of the next section, which regains 
the witness properties. 

Traditionally, operational semantics of logic programming are given using variants 
of resolution, in particular SLD-resolution. However, in the presence of such features 
as depth-first search, negation as failure and cut, SLD-resolution-based operational 
semantics require an additional superstructure of definitions, for instance to define 
the order in which branches of the SLD-tree are searched. We therefore follow 



other researchers (Deransart & Ferrand, 1987; Billaud, 1990) in defining operational 



semantics for our system using the style which has come to be known as SOS, or 



Structured Operational Semantics (Plotkin, 1981) 



The rules in this paper are presented in groups, which (following (Abadi 



[Cardelli, 199(: )) are referred to as "fragments", to emphasize that they are only 



parts of formal systems. We define various different operational semantics for vari- 
ous different purposes; each semantics will be made up of several of these fragments. 



In this section, we first present some basic definitions in section 4.1. In section 



4.2, we define the "liberal general" operational semantics. This semantics takes its 
name from its liberal attitude and the fact that it can handle general programs 
(with multi-clause definitions and cut). 

Traditional Prolog multi-clause predicate definitions turn out to be awkward to 
work with in the presence of cut. Predicates defined with a single clause are more 
convenient to work with; but is it always possible to transform a program with 
multi-clause definitions into one with single-clause definitions? In section 4.3 we 
answer this question in the affirmative, defining a "completed form" for programs 
and giving an algorithm which transforms a program to completed form. In section 



4.4, we give the "liberal completed" semantics, which is defined only for completed- 
form programs and is much simpler than the liberal general semantics. It is this 
liberal completed semantics that we use as the basis of the safer, "conservative" 
semantics of the rest of the paper. 
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Finally, in section 4.5, we show formally that the liberal semantics, like the Prolog 
systems they characterize, are problematic from a logic programming point of view 
because they violate not only logic, but also the weaker witness properties. 



4-1 Basic Definitions 

This section defines some basic notions of the operational semantics, namely goal 
stacks, results, judgments and computations. 

The judgements of the operational semantics contain goal stack elements and 
results. A goal stack element represents a subgoal to solve, possibly with information 
about how to solve it. A goal stack element can be one of the following: 

• a formula; 

• an expression of the form p(ti, ... ,tn) using {■y), where 7 is a sequence of 
clauses; or 

• an expression of the form body(ri), where 77 is a clause body (i.e., a possibly 
empty sequence of body elements) . 

A goal stack element of the form . . . , tn)using{^) represents a predicate call 
along with the sequence of clauses remaining to be used in its processing; a goal 
stack element of the form body{ri) represents a predicate body, possibly containing 
cuts. (We distinguish a predicate body from a regular sequence of formulas in this 
way because a body with cuts demands some special treatment.) We define a goal 
stack as a sequence of goal stack elements. 

In this paper, the result of a computation in the operational semantics can be 
one of four things: 

• A substitution 6, indicating a successful computation returning 6 as the so- 
lution; 

• fail, indicating failure to find a substitution; 

• flounder, indicating that a mode restriction has been violated (see Section ^; 
or 

• diverge, indicating that the operational semantics believes the computation 
to diverge (see Section^). 

Only the first two results are possible with the semantics in this section, but the 
others will be possible in later semantics. 

A judgement of an operational semantics is an expression of the form (0 : a =>p 
p), where is a (finite representation of a) substitution, a is a goal stack containing 
no free variables in the domain of 9, P is a program, and p is a result. A judgement 
indicates that the computation of the goals in a, under the current substitution 
and the program P, has the result p. 

A computation in a given operational semantics is a tree, written root-down, in 
which each node is a judgement, and where the relationship between each node 
and its children is defined by the rules in that operational semantics. Computing 
the outcome of a Prolog goal G with respect to program P corresponds to finding 
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9' -.e^ 6' 6>' : a = x' ,[] = [],z^[]^ 

[x :— a,ys := []] : z — zs ^ 6' 9' : d{a,[], z)using{C\; C2; C3) 



[x ;= a] : [a] = [a|j/s], z = zs ^ 9' 9' : d{a, [], 2:) 



: a = X, [a] = [2:|j/s], 2 = 2s ^' 9' : body{d{a, [], z)) 

: d{a, [a], z)using{C2; C3) => 9" 



X := a : a = L 2 = 



fail (see above) 



: a = X, [a] = [], z = [] => /ai/ () : d(a, [a], z)using{C2; C3) ^ f" 

: d{a, [a], z)usmg{Ci; C2; C3) ^ 
: d(a,[a],z) ^ 

Fig. 1. An example computation in the liberal general semantics with respect to 
the first "delete" program of Section 3. The computation is split into two pieces in 
order to fit on the page. 



a result p and a computation whose root node is (() : G =>p p), where () is the 
empty substitution. Generally, we will drop the P subscript where its value is clear. 

In the operational semantics, we use a to stand for a goal stack, and 77 to stand 
for a sequence of body elements. We use 7 to stand for a sequence of clauses; to 
distinguish sequences of clauses more clearly from sequences of goal stack or body 
elements, we separate clauses in a sequence by semicolons, and goal stack or body 
elements by commas. 



4-2 The Liberal General Semantics 

The first operational semantics we study, as described above, is the liberal general 
semantics. It is made up of the fragments [Basic] (Figure^), [Liberal Choice] (Figure 
and [General Predicates] (Figure ^). The liberal general semantics corresponds 
to most common implementations of Prolog, which employ hard cut and unsound 
negation as failure. We begin this section by looking at an example computation, 
and then discuss the individual rules of the liberal general semantics in more detail. 



4-2.1 Example Computation 

Figure |l] shows an example computation in the liberal general semantics. (The 
clauses Ci, C2, C3 are the clauses for d from the three-clause version defined in 
Section p. The substitution 9' is [x := a, ys := [], zs z], and the substitution 9" is 
[x :— a, ys := []. zs :— [], x' :— a, z ^ []].) This computation, like all computations, 
gives the result of the computation within the same judgement as the original goal. 
Therefore it may not be clear how to obtain a result from knowing only the goal 
we want to solve. The example illustrates how we can do so in a systematic fashion 
by applying rules bottom-up. 

We start (at the bottom) with the goal formula d{a, [a],z) and the empty sub- 
stitution; our task is to determine the result expression, to the right of the 



Unif/succ: 



Unif/fail: 



Success: 
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6 : (s = t),a ^ fail 
where s and t are not unifiable 



Conj: 



B, C,a 



9 : B&iC,a =^ p 



Disj/nofail: 



Disj/fail: 



Exists: 



B,a 



61: BV C,a =^ p 

where p is not fail 

6: B, a ^ fail 0:C,a.^p 
d: By C,a =^ p 

: B[x := x'],a =^ p 
9 : 3x{B),a =^ p 

where x' does not occur in the conclusion 

Fig. 2. [Basic], the operational semantics rules fragment for the basic logic pro- 
gramming connectives. 



Not/succ: 

Not/fail: 

If/succ: 

If/fail: 



9: B ^ e' 
9 : ^B, a ^ fail 

9 : B ^ fail 9 : a ^ p 
9 : -iB, a ^ p 

9 : B[x := x'] ^9' 9' : C[x := x']9',a9' ^ p 

9 : tf[x]{B, C),a ^ p 

where x' do not appear in the conclusion 

9:B[x:= x'] => fail 
9 : if[^]{B, C),a =^ fail 

where x' do not appear in the conclusion 



Fig. 3. [Liberal Choice], the operational semantics rules fragment for dealing with 
"not" and "if" in a liberal manner. 



symbol. Since d{a, [a], z) is a predicate call, wc know that the bottommost rule is a 
Pred rule, that the substitution in the premise is still empty, and that the goal stack 
in the premise is d{a, [a], z)using{C\; C2; C3). We therefore apply that rule at the 



14 



James H. Andrews 



p^^^. ■■ pjti,.. .,tn)usmg{y),a =^ p 

6 : p{ti,. . . ,tn),a ^ p 

where 7 is clauses{p, P), renamed apart from any free variables in the con- 
clusion 

TT ■ , ^, e : si = h,. . . ,Sn = tn,Vi ^ d' e' : body {7)2)6' ,a6' ^ p 

Usmg/cut/succ: r — — — — ^-^ 

e : p(si, . . . , s„)using{C ,^),a p 

where C is of the form p{t\, . . . ,tn) : ~ !, ??2, and 771 contains no cuts 

: s\ = h, . . . ,s„ = tn,r)\ fail : p{si, Sn)using{'y),a p 
9 : p{si,. . . , s„)using{C,^),a ^ p 

where C is of the form p{ti, . . . ,tn) : - ?7i, !, 772, and 771 contains no cuts 

9 : si = h, . . . ,Sn = tn,ri,a ^ 9' 



Using/cut/fail 



Using/nocut/succ: \ ■ /n \ ^ a, 

: p(s\, . . . ,Sn)using{C ,'^),a ^ 9' 

where C is of the form p{t\, . . . ,tn) V: and r] contains no cuts 

9 : si = ti,. . . ,s„ = t„,r),a ^ fail 9 : p{si, . . . , s„)using{'y),a ^ p 

Usmg/nocut/fail: r — : — t^t^ — 

9 : p[si, . . . , Sn)usmg[C , ■y), a p 

where C is of the form p{ti, . . . ,tn) ■~ Vi and 77 contains no cuts 
Using/empty: 9 : p{si, . . . , Sn)using{e),a ^ fail 

Body/cut/succ: ; — 

9 : body{r]i,l,r]2),a =^ p 

where 771 contains no cuts 

9 : rji ^ fail 
9 : body{rii, !, 772), a fail 

where 771 contains no cuts 

9 : r],a ^ p 



Body /cut/fail: 



Body/nocut: 



9 : body{r]), a p 
where 77 contains no cuts 



Fig. 4. [General Predicates], the operational semantics rules fragment for dealing 
with general (multi-clause) predicate definitions. 



bottom of the computation. We have now reduced the problem of finding the result 
of (0 : d{a,[a\,z)) to that of finding the result of (() : d{a, [a], z)using{Ci; Ci\ C3)). 

At this point, we can apply either the Using/nocut/succ or the Using /no cut /fail 
rule; we do not know which is applicable. However, we know that if Us- 
ing/nocut/succ is applicable, the substitution in the left-hand premise is the empty 
substitution and the goal stack in the left-hand premise is (a = a;, [a] = [],-? = []); 
we also know that if Using/nocut/fail is applicable, then the substitution in 
the (only) premise is again empty and the goal stack in the premise is again 
(a = x, [a] = [], -2 = [])• If the result of this goal stack is fail, then Using/nocut/fail 
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is applicable; if it is some substitution 0, then Using/nocut/succ is applicable. We 
therefore choose as our next task to find the result of (() : a = x,[a] = [],z = []). 

As it turns out, in two simple steps (a Unif/succ step and a Unif/fail step) 
we can determine that (() : a = x, [a] = = [] => fail). Therefore wc choose 
Using/nocut/fail as the rule to apply. This choice determines the form of the substi- 
tution (again, the empty substitution) and the goal stack {d{a, [a], z)using{C2; C3)) 
in the right-hand premise. We can repeat this process of finding results in order to 
obtain the result 9" of d{a, [a], z)using{C2; C3), which is inherited by our original 
goal d{a, [a],z) as its result. 9" contains the mapping [z := []]; thus the computa- 
tion has correctly told us that the result of deleting a from the list [a] is the empty 
list. 

In general, whenever we are faced with a choice of two rules, the above strategy 
will work. The form of substitution and goal stack in one of the premises can be 
uniquely determined, and the choice of rule and form of substitution and goal stack 
in the other premise (if another is needed) can be uniquely determined from the 
result of the first premise. Thus, information in a computation can be seen as 
"flowing" in a clockwise manner around the perimeter of the computation. 

4.2.2 The Rules 

We now describe the general significanc;e of the rules in the liberal general semantics 
in terms of how the different kinds of goal stack elements are handled. 

The equality rules in the [Basic] fragment describe the usual results of unification; 
if unification fails, the entire goal stack fails, but if it succeeds, the computation 
proceeds under the mgu. The first order connective rules in [Basic] express the 
usual operation of Prolog interpreters. We solve a conjunction by solving each of 
its conjuncts in turn, left to right. We solve a disjunction by attempting to solve 
its left-hand disjunct and the rest of the subgoals; if this is solvable, we can ignore 
the right-hand disjunct, but if not, we attempt to solve that disjunct with the rest 
of the subgoals. Finally, we solve an existential formula (corresponding to a free 
variable in a clause) by renaming its variable apart from the rest of the variables 
in the goal. 

In the [Liberal Choice] rules, we solve a negation by solving the negated formula, 
inverting the sense of the result at the end. This is the usual unsound strategy, which 
will be corrected in the system with firm cut. Similarly, the formula if[x]{B, C) is 
computed by first computing B and checking the result. If the result is a successful 
computation returning satisfying substitution 9, then 9 is used to compute C; 
otherwise, the whole formula fails. This will also be modified in the system with 
firm cut, in order to achieve the witness properties. 

The predicate call and clause selection rules of the [General Predicates] fragment 
reflect how Prolog backtracks over clauses and cuts away alternate solutions. We 
"launch" the processing of a predicate call by collecting the clauses in the program 
defining the predicate into an initial using expression. Then, if the first clause 
contains a cut, we process first only the part before the cut. On success, we retain 
the substitution returned and discard the other clauses, but on failure, we discard 
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that first clause and repeat the procedure. This characterizes the behaviour of 
Prolog clauses with cut. 

Conversely, if the first clause does not contain a cut, we process the entire clause 
body along with the rest of the subgoals. Again, on success of the goal stack we 
discard the other clauses, and on failure of the goal stack, the first clause. However, 
because we have included the rest of the subgoals in the goal stack, we retain the 
option of returning to another clause if a subgoal fails later in the computation. 
This characterizes the behaviour of usual Prolog clauses without cut. 

Finally, the predicate body rules reflect how cuts in a clause body after the flrst 
cut may prune the search tree. If a clause body has cuts, then the portion before 
the first cut is processed first; if it returns a solution, wc process the rest of the 
body with that first solution, and otherwise the entire body fails. If the body has 
no cuts, however, it is processed just as a sequence of formulas. 

4-3 Completed Forms of Programs 

In this section, we show that it is possible to transform any program into one in 
a "completed" form, in which every predicate is defined by a single clause without 
cuts. This is valuable because programs in completed form are much easier to work 
with in the proofs we need to do. We begin by giving the transformation algorithm, 
show an example of how it transforms a program, and then prove the required 
properties of the transformation algorithm. 

We say that a program is in completed form when each of the following conditions 
hold: 

1. The parameters in the clause head are distinct variables; 

2. There is only one clause defining each predicate; 

3. The body of each clause consists of a single formula; and 

4. The free variables in the body are a subset of the parameters in the head. 

Our transformation of programs into completed forms depends on the fact that 
our definition of formula includes the if connective, which allows us to achieve the 
effect of cuts; in fact, this is the main reason why if was included in the syntax and 
operational semantics of our language. 

4.3.1 Transformation Algorithm 

Here, we give an algorithm which progressively transforms a program into com- 
pleted form, by replacing clauses with other clauses. The program, as it is being 
transformed, will progressively satisfy each of the following properties. 

(A) The parameters in the clause head are distinct variables. 

(B) Each clause body begins and ends with a formula, and alternates formulas 

and cuts. 

(C) Each clause has at most one cut; that is, each clause body consists of either 
a singleton formula F, or a sequence F, !, G. 
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(D) The last clause defining each predicate has a body which is a single formula, 
having no free variables except those appearing in the head. 

(E) Each predicate is defined by exactly one clause. 

The algorithm is as follows. 

1. Choose a countable sequence of variables not appearing in the program. We 
will refer to these variables as xi,X2,. . ■ in the rest of the algorithm. 

2. While there is some clause in the program not of the form 

{p{xi, . . . ,.T„) :- 1]): 

2.1. Choose one such clause C, of the form 

p{ti, tk-i, tk, Xk+i, ...,Xn) •■- f], where 4 is not Xk- 

2.2. If i;; is a variable y distinct from xi,. . . ,Xn, then replace C in the program 
by C[y := Xk]. 

2.3. Otherwise, replace C by 
p{ti,...,tk-i,Xk,Xk+i,...,Xn) :- {xk = tk),r]. 

(After this while loop has been completed, we can assume that property (A) 

above is satisfied.) 

3. While there is some clause of the form p{xi, . . . , Xn) ■- r]i,F,G,r]2, where 
F and G are formulas: choose one such clause and transform it to the form 
p{xi,...,Xn) :- ?7i,(F&G),r?2. 

4. While there is some clause with an empty body: choose one such clause and 
replace the body by the single formula true (i.e., = 0). 

5. While there is some clause with two consecutive cuts: choose one such clause 
and replace the consecutive cuts by a single cut. 

6. While there is some clause beginning with a cut: choose one such clause and 
insert the formula true before the first cut. 

7. While there is some clause ending with a cut: choose one such clause and 
insert the formula true after the last cut. (We can now assume that property 
(B) above is satisfied.) 

8. While there is some clause of the form p{xi, . . . , a;„) : - 77, !, F, !, G: 

8.1. Select one such clause. 

8.2. Select a predicate name q not appearing in the program. 

8.3. Add a clause to the program of the form q{y) :- F,\, G, where y are all 
the free variables of F, G. 

8.4. Replace the original selected clause by p(a;i, a;„) :- ri,\,q{y). 

(We can now assimic that property (C) above is satisfied.) 

9. Repeat until the last clause of all predicates is of the form p{xi, . . . , Xn) ■ ~ G, 
where all free variables of G appear in the head: 

9.1. Choose the last clause of one predicate for which this is not the case; let 
it be of the form p{xi, . . . , Xn) : - ??. 

9.2. If ri is some singleton formula G, replace the clause by 
p{xi, . . . ,Xn) ■- 3y{G), where y are all the free variables of G not 
m X\ , . . . , . 



18 



James H. Andrews 



9.3. Otherwise, is a sequence of the form i*",!, G. Replace the clause by 
p{xi, . . . ,Xn) ■- if[y]{F, G), where y are all the free variables of F, G 
not in xi, . . . ,Xn- 
(We can now assume that property (D) above is satisfied.) 
10. While there is some predicate which is defined by more than one clause: 

10.1. Choose one such predicate p. Let the second-last clause defin- 
ing p be p{xi,...,Xn) :- rj, and let the last clause defining p be 
p{xi, ...,Xn) :- H. 

10.2. If 7] is some singleton formula G, replace the two clauses by the single 
clause p{xi, . . . , Xn) : - ^y{G) V H, where y are all the free variables of 
G not in xi, . . . ,Xn- 

10.3. Otherwise, is a sequence of the form F, !, G. Replace the two clauses by 
the single clause p{xi, . . . , Xn) :- if[y]{F, G) V {{-^3y{F))hH), where y 
are all the free variables oi F , G not in xi, . . . ,Xn. 

(We can now assume that property (E) above is satisfied.) 

The effect of all these steps is that we have arrived at a program in com- 
pleted form, i.e. in which all predicates are defined by a single clause of the form 
p(xi, . . . , Xn) ■ - G, where the free variables of G are among xi, . . . , a;„. 

Given program F, we refer to the program resulting at the end of the sequence of 
transformations as the augmented Clark completion oi P , or acc(P). The augmented 
Clark completion of P serves essentially the same purpose as the Clark completion 
in Clark's original treatment of negation as failure ( Clark, 197§| ); that is, it gives 
a closed form of the intended meaning of each predicate. We cannot truly consider 
it to be a logical completion, however; the if construct, while it can be given a 
semantics consistent with the witness properties (as we will see), cannot be given 
a logical interpretation. 



4.3.2 Example 

As an example, consider the first "delete" program from Section |l|: 

dixAll]) 

d{x,[x\ys], zs) :- \,d{x,ys,zs) 
d{x,[y\ys],[y\zs]) :- d{x,ys,zs) 



Assume that the variables selected in Step 1 are xi,X2,X3,. 
transformed, by the end of Step 2, to the form: 



d{xi,X2,X3) 
d{xi,X2,X3) 
d{xi,X2,X3) 



- (X2 = 0),(^3 = 0) 

- {X2 ^ [xi\ys]),l,d{xi,ys,X3) 

- {X2 = [y\ys]), {x3 = [y\zs]), d{xi,ys, zs) 



By the end of step 7, the program has been transformed into: 
:- (x2 = 0&^3-0) 



d{xi,X2,X3) 
d(xi,X2,X3) 
d{xi,X2,X3) 



- {X2 ^ [xi\ys]),l,d{xi,ys,X3) 

- {x2 = [y\ys]kx3 = [y\zs]kd{xi,ys,zs)) 



The program is 
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Step 8 has no effect because there is no clause with more than one cut (this is 
the case in most programs). However, Step 9 scopes the local variables in the last 
clause, making the whole program read as follows: 

d{xi,X2,x^) :- (a;2 = []&a:3 = []) 

d{xi,X2,x:i) :- {x2 = [xi\ys]),\,d{xi,ys,xz) 

d{xi,X2,X3) :- 3y3ys3zs{x2 = [y\ys]kx3 = [y\zs]kd{xi,ys,zs)) 

Let us refer to this new body of the third clause as 53. Step 10 first combines the 
last two clauses into a single clause with if, resulting in a new program as follows: 

d{xi,X2,X3) :- (2:2 = []&a;3 = []) 
d{xi,X2,X3) :- 

'if[ys](x2 = [xi\ys],d{xi,ys,xs)) V (^3ys{x2 = [xi\ys])kB3) 

Let us refer to this new body of the second clause as i?2- Step 10 then continues, 
and transforms the remaining two clauses to the single clause 

d{xi,X2,X3) :- (a;2 = []&a;3 = []) V S2 

The program is now in completed form. 

4-. 3. 3 Properties 

We now prove the properties we want the algorithm to have: that is, that it termi- 
nates, that it produces a program in completed form, and that the completed-form 
result program actually does the same thing as the original program. 

Theorem 1 [Completion Algorithm Termination) 
The completion algorithm terminates. 

Proof 

Each loop in the algorithm continues while there is a clause in the program with a 
specified property. The effect of each loop, however, is to eliminate all clauses with 
the specified property. Therefore each loop in the algorithm terminates. □ 

Theorem 2 [Completed Form Formation) 

The completion algorithm produces a program in completed form. 
Proof 

Once the program being transformed achieves each of the properties (A)-(E), as 
stated in the algorithm text, it never loses those properties. The conjunction of the 
properties (A)-(E) is the same as saying that the program is in completed form. 
□ 

To prove that the completion algorithm preserves the results of computations, 
it is technically necessary to prove by induction on the structure of computations 
that each transformation step preserves result. For brevity, we will prove this in 
detail for only one of the transformations, and then argue more informally in the 
main proof. The following is a lemma and a theorem to do with the transformation 
we will prove in detail. All proofs are contained in Appendix H. 



20 



James H. Andrews 



Lemma 1 

Let a be a goal stack. Let a' be a with any number of occurrences of a sequence 
5, C in a goal stack or clause body replaced by BSzC, where B and C are formulas. 
Then (6* : a =>p p) in the liberal general semantics iff (6* : a' =>p p) in the liberal 
general semantics. 

Proof 

See Appendix ^ □ 

Lemma 2 

Let P' be P with some sequence B, C in a clause body replaced by B&zC. Then 
9 : a =>p p in the liberal general semantics iff : a =>p' p in the liberal general 
semantics. 

Proof 

See Appendix 0. □ 

The main result preservation theorem is as follows. 
Theorem 3 {Result Preservation of Completion Algorithm) 

The completion algorithm preserves result according to the liberal general opera- 
tional semantics. That is, if P' is the completion of P, then 6 : a p in the 
liberal general semantics iff : a =^'p' p in the liberal general semantics. 

Proof 

We prove the theorem by proving that each of the transformations preserves result. 
The lemma is used in the proof of step 3. The details of the proof can be found in 
Appendix |^. □ 

Now that we know that the completion process preserves result, we can assume 
that the programs we deal with will be in completed form (since if not, we have 
an automatic process for transforming them to completed form). We will therefore 
assume this for the rest of this paper. 

4-4 The Liberal Completed Semantics 

Due to the complex behaviour of the Prolog cut, the liberal general operational se- 
mantics contains nine rules for predicates. These rules exist mainly to manipulate 
the sequences of body elements that exist in the clauses of a general program, and 
to backtrack over multiple clauses defining a predicate. Since we now are assuming 
completed-form programs, we can discard these rules in favour of one simple rule. 
The resulting operational semantics is referred to as the liberal completed seman- 
tics. Its simplicity moves us to adopt it as the standard presentation of the liberal 
semantics for the rest of the paper. 

The liberal general semantics' nine rules for predicates were contained in the 
fragments [General Predicates]. The one rule replacing them is the rule contained 
in Figure |l We refer to the proof system fragment containing only this rule as the 



The Witness Properties and the Semantics of the Prolog Cut 



21 



p^^^ ■■ B[xi := ti,...,Xn := tn],a^ p 

9 : p{ti,.. .,t„),a^p 

where p{xi, . . . , Xn) :- B is the clause defining p in the completed-form 

program P 

Fig. 5. The predicate rule for the liberal completed semantics, the only rule in the 
[Completed Predicates] fragment. 

[Completed Predicates] fragment. Thus, the liberal completed semantics consists of 
the fragments [Basic], [Liberal Choice], and [Completed Predicates]. 

The following result proves that it is safe to use the liberal completed semantics 
when we have a completed program. 

Theorem 4 {Equivalence of General and Completed Semantics) 
If P is a program in completed form, then the liberal general and liberal completed 
semantics have the same result. That is, ^ : a =>p p in the liberal general semantics 
iS 9 : a =>p p in the liberal completed semantics. 

Proof 

The computation in the liberal general semantics may have portions ending in 
applications of the Using/nocut/succ and Pred rules, of the following form. 



9:t = x,G,a^ p 
6 : p{t)using{p{x) :- G),a ^ p 
6 : p(t), a =^ p 

where ^ is the substitution [xi := tn,---jXn ■= tn]- (We assume without loss of 
generality that the free variables of the clause are distinct from those of the con- 
clusion.) This portion of the computation in the liberal completed semantics will 
have the following form: 

e:G^,a^p' 
6 : p{t),a p' 

where p' differs from p only in that it does not contain substitutions for the renamed 
variables arising from clauses. Since the substitution ^ deals only with the Xi vari- 
ables, which do not appear in a, the uppermost judgements in the two computations 
are essentially identical. 

The compiitation in the liberal general semantics may also have portions ending 
in a sequence of applications of the Using/empty, Using/nocut/fail and Pred rules, 
of the following form. 

6»C : G^, fail 



9 : t = X, G,a ^ fail 9 : p{t)using{), a fail 



9 : p{t)using{p{x) :- G),a ^ fail 



9 : p{t), a fail 
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9" -.e^ 9" 

[ys := []]:. = [] ^ 9" 
[ys := []]:[]^[],z = []^ 9" 
[ys []] : ([] = []kz = []) ^ 


h 


IS := []] : e ^ [ys := []] [ 


yj:(y = y&. = y)vB2VB3^e" 


(): 


[a\ = [a\ys\ ^ [ys := [JJ 


[ys:= [[\:d(a,[\,z))^9" 




: ifMila] = [a 


\ys], d{a, ys, z)) 9" 




: «/[«/sJ([a| = 


\,d{a,ys,z)) V Ba ^ 9" 
(see above) 


(): 


[a] = []kz = [] ^ fail 


*/W(N = Hysl, d{a, ys, z)) V B3 ^ 9" 




: ([«] = []&^ = 


-- y) VB2 VB3 ^ e" 




: d{a, 


[a\,z) ^ 9" 



Fig. 6. A sample computation in the liberal completed semantics. i?i V B2 V B3 
is the body of the clause defining d from the second program in Section 3, with 
parameters instantiated. Not all substitutions are listed in full. 

where ^ is the substitution [xi :=<„,..., a;„ := i„]. This portion of the computation 
in the liberal completed semantics will have the following form: 

9 : GS,, a => fail 
6 : p{t), a fail 

Again, the substitution ^ does not affect a. □ 

Figure ^ shows a sample computation in the liberal completed semantics, using 
the second, one-clause version of the delete program from Section 3. {6" is the 
substitution [ys :— [], z []].) Note that although the number of steps is similar to 
that of the liberal general computation, now the elements of a goal stack are simply 
formulas. This will simplify our analysis, since we can focus on formulas rather than 
having to deal with the interaction of formulas and sequences of clauses with cuts. 



4-5 Inadequacy of Liberal Semantics 

Because it is intended to capture the behaviour of Prolog programs with cut, the 
liberal completed semantics does not have either of the witness properties. Figure 
shows that the goal formula Gi = ~^{^{x — 0))8zx — 1 succeeds in the liberal 
completed semantics, even though Gi[x :— 0] fails and Gi[x a], where a is any 
arbitrary ground term not identical to 0, fails. Similarly, Figure ^ shows that the 
goal formula G2 = ~^{x = 0)Szx = 1 fails in the liberal completed semantics, even 
though G2[x :— 1] succeeds. 

This is consistent with the behaviour of the usual unsound implementation of 
negation as failure. We can, of course, ban unsound NAF alone with a mode re- 



striction similar to that of Stark (Stark, 1998); however, if we retain the general 



j/ construct (corresponding to the hard cut), we will still permit behaviour which 
violates the witness properties. This suggests that we need some further restriction 
to if analogous to Stark's restriction on negation. 

Note that these counterexamples also show that the liberal general semantics 
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[z — 0] : e ^ [x ■- 0] 

■.x = Q^ [x--Q\ [x — Ij : £ ^ [x ■- IJ 

: -^{x = 0) ^ fail : a: = 1 ^ [x ■- 1\ 

:^(^(z = 0)),a^ 1 ^ [x := 1] 
: ^(^(s = 0))&a; = 1 ^ [x ■- I] 



: e ^ 

(): = =» 

: ^(0 = 0) ^ fail : = 1 

:-(^(0 = 0)),0 = l ^ fail 



()■■ 


-n(^(0 = 0))&0 


= 1 => /ai/ 


():a = 


=> fail 


: ^ ^ 




():.(a = 0) 




(): 


-(^(a = 0)),a 


= 1 => /ai/ 


(): 


^(^(a = 0))&a 


= 1 /ai/ 



Fig. 7. Computations showing that the goal ^{^{x = 0))Szx = 1 violates the success 
property in the liberal completed semantics, a is some arbitrary ground term not 
identical to 0. 



[a — 0] : e ^ [x ■- 0] 
: X ^0 ^ [x — 0] 
: -^{x = 0), X = 1 ^ fail 
: -^{x = 0)kx = 1 ^ fail 



: 1 = ^ fail : 1 - 1 ^ 

():^(1 = 0),1 = 1^ 
():-(l = 0)&l = l^ 



Fig. 8. Computations showing that the goal = 0)Szx = 1 violates the failure 
property in the liberal completed semantics. 



(a generalization of the liberal completed semantics) has neither of the witness 
properties. 



5 The Conservative Operational Semantics 

In the last section, we gave operational semantics for programs which characterized 
Prolog computation, but were inadequate from a logic-programming point of view 
because they violated the witness properties. In this section, we repair the faults of 
the liberal semantics by placing simple restrictions on some of its rules. The result 
is the conservative semantics, which does enjoy the witness properties. We refer to 
the form of cut embodied in the conservative semantics as firm cut. 

In Section 5.1, we present and describe the rules for the conservative semantics. 
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JNot/succ: 



Not/fail: 



where B has no free variables 

6 : B ^ fail 6 : a ^ p 



6 : -^B,a ^ p 

where B has no free variables 

Not/flounder: 6» : ^B,a ^ flounder 

where B has free variables 

AT , , 6: B ^ p 

Not/sub: ' 



9 : -^B,a => p 

where B has no free variables, and p is flounder or diverge 

e : B[x ■- x] ^ e' e' : C[x ■- x]e',a ^ p 
e:tf[x]{B,C),a^ p 

where 3x{B) has no free variables, and x' do not appear in the conclusion 

6 : B[x:= x] ^ fail 
9 : if[x]{B, C),a => fail 

where 3x{B) has no free variables, and x do not appear in the conclusion 
If/flounder: q . ,/[f](5, C),a ^ flounder 

where 3x{B) has free variables 
e : B[x ■- x] => p 



If/succ: 



If/fail: 



If/sub: 



if[x]{B,C),a 



where 3x{B) has no free variables, and x' do not appear in the conclusion, 
and p is flounder or diverge 

Fig. 9. The rules of the [Conservative Choice] fragment, for computing the choice 
constructs in a more restricted fashion. 

: -^{x = 0), a; = 1 => flounder 
: — 0)&iX = 1 flounder 

Fig. 10. The safe computation of -^{x — 0)&x = 1 in the conservative semantics. 



and in Section 5.2 



ties. Finally, in 
behaviour of the Prolog cut. 



we prove useful properties of it, including the witness proper- 



5.2 we show that the firm cut still permits the useful first-solution 



5.1 The Conservative Semantics Rules 

The conservative operational semantics restricts the computation of negation and 
if. Whereas the liberal completed semantics is made up of the rules fragments 
[Basic] (Fig. |), [Liberal Choice] (Fig. ||), and [Completed Predicates] (Fig. |), 
the conservative semantics is made up of the rules fragments [Basic] , [Conservative 
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Choice], and [Completed Predicates]. The rules for the new fragment, [Conservative 
Choice] , are in Figure ^ 

Consider the rules Not/succ and Not/fail from [Conservative Choice]. These rules 
are the same as those of the [Liberal Choice] fragment, except that they have the 
restriction that B (the negated formula) must have no free variables. When B 
does have free variables, a new rule, Not/flounder, applies. Not/flounder states 
that a goal stack beginning with a negated formula with free variables immediately 
returns a new result, flounder^ indicating that the computation cannot continue at 
this point. 

Another new rule. Not/sub, defines what happens when B has no free variables, 
but the sub-computation itself flounders: the flounder result is passed on. Note that 
the rules in the [Basic] and [Completed Predicates] fragments are already described 
in such a way that they also automatically pass on the new flounder result. Hence, 
flounder acts as a kind of run-time exception, which causes the computation to 
terminate immediately.^ 

The conservative rules for the ij connective are constructed from those of the 
liberal rules in a similar manner, modulo the bound variables of the iJ . As an 
example of a conservative computation, consider again the goal ^{x = 0)&a; = 1, 
which was a problem for the liberal semantics. Figure ^ shows that the conservative 
semantics handles it in a sound way, by immediately stating that it flounders. 

We should note at this point that there are other approaches to the problem of 



handling negation in a sound way. Loveland and Reed, for example (Loveland & 



Reed, 1991 ), define a resolution method by which queries against programs with 
negation can be evaluated in a sound and complete manner. Dahl ( Dahl, 1980 ) 
defines an approach which delays the evaluation of a negated goal until it becomes 
ground, and an approach which, within a negated goal's computation, blocks only 
the unification of variables which are free outside the scope of the negation. Di 
Pierro et al. (Pierro et al, 1995) define an approach in which an existentially closed 
negated atom (a formula of the form 3[-i4]) succeeds iff all branches of the SLD- 
tree of the atom either fail or instantiate the atom. Some of these methods have 



been implemented in a variety of systems, for instance in Naish's NU-Prolog (Naish 



1986). Here we are motivated by our interest in the features implemented in the most 



widely-used Prolog systems. Most Prolog systems implement the simple negation 
as failure characterized by the liberal semantics and restricted by the conservative 
semantics. 



5.2 Properties of the Conservative Semantics 

In this section, we prove the properties of the conservative operational semantics 
that we wanted to hold. First, we prove the correspondence of computations in the 
liberal and the conservative semantics. Then, we prove the witness properties. 



^ Not/sub also passes on the result diverge, which is not needed until Section 



3.2.4 
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5.2.1 Correspondence of Computations 

First, we note that successful and failing computations in the conservative semantics 
correspond to successful and failing computations in the liberal completed seman- 
tics. 

Theorem 5 

If : a => p in the conservative semantics, and p is not flounder, then 6 : a => p 
in the liberal completed semantics. 

Proof 

Any computation in the conservative semantics which contains applications of the 
Not/flounder or If/flounder rules must result in flounder, since the flounder out- 
comes of these rules descend through all other rules in the [Basic], [Conservative 
choice] and [Completed predicates] fragments. Therefore if a computation in the 
conservative semantics does not result in flounder, it must not use those rules; 
rather, it uses only the other Not and If rules, which arc restrictions of those in the 
liberal completed semantics, and the other rules, which are identical to those in the 
liberal completed semantics. Such a computation is, in fact, a computation in the 
liberal completed semantics. □ 

The converse does not hold, since successful and failing computations in the 
liberal completed semantics may flounder in the conservative semantics. However, 
all computations in the liberal completed semantics do correspond to some kind of 
computations in the conservative semantics, as the next theorem shows. 

Theorem 6 

\i 6 : a => p in the liberal completed semantics, then there is some p' such that 
9 : a ^ p' \a the conservative semantics, and p' is either p or flounder. 

Proof 

By induction on the structure of the liberal completed computation. Cases are on 
the bottommost rule application. 

All applications of rules with premises correspond to rule applications in the 
conservative semantics. 

If the bottommost rule is Disj/fail: the bottommost judgement is of the form 
{9 : B V C,a => fail), and its left-hand premise judgement is of the form {9 : 
B,a ^ fail). By the induction hypothesis (IH), either {9 : B,a =^ fail) in the 
conservative semantics, or {$ : B,a => flounder) in the conservative semantics. In 
the flrst case, the result follows directly from another application of the IH; in the 
second case, the result follows from one application of the Disj/nofail rule. 

The cases for the Not and If rules are similar to that of Disj/fail. Applications of 
all other rules in the liberal completed computation have exactly one premise, and 
correspond to applications of the same rules in the conservative computation. □ 

Examples of goals whose outcomes differ in the liberal completed and conservative 

semantics are as follows: 

• The goal -'^{x = 0) succeeds in the liberal completed semantics, but flounders 
in the conservative semantics. 
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• The goal = 0) fails in the liberal completed semantics, but flounders in 
the conservative semantics. 

• The goal = 0)&/oop(a;), where the predicate loop is defined with the 
definition loop{x) : - loop{x), diverges (does not have any finite computation) 
with respect to the liberal completed semantics; however, it flounders in the 
conservative semantics. 

These examples, along with the witness properties to be proven next, show that 
although strictly fewer goals succeed or fail in the conservative semantics, strictly 
more goals terminate in the conservative semantics. 



5.2.2 The Witness Properties 

Finally, we show the witness properties of the conservative semantics. Most proofs 
are contained in full in Appendix 

We begin with some useful definitions. We say that 6 is a specialization of 9' , 
in symbols 6* C 6*', if there is some 6" such that x9 = x9'9", for all variables x 
in the domain of 9' . Given a set V of variables and a substitution 9, we say that 
a substitution ^ grounds V consistent with 9 if ^ C 9 and x^ is ground for every 
xe V. 

An inductive generalization of the failure property can be proven directly; the 
corresponding generalization of the success property requires a technical lemma. 
These three lemmas are as follows. 

Lemma 3 (General Failure Property of Conservative Semantics) 

Let 9, a be such that {9 : a ^ fail) in the conservative semantics. Then for any ^, 

{6 : ^ fail) in the conservative semantics. 

Proof 

See Appendix 0. □ 

Lemma 4 (Substitution Monotonicity of Conservative Semantics) 

Let 9, a be such that a9 = a and 9 : a ^ 9' in the conservative semantics. Then 

9' C 9. 

Proof 

See Appendix ^ □ 

Lemma 5 (Ceneral Success Property of Conservative Semantics) 
Let 9, a be such that 6* : a ^ 6*' in the conservative semantics. Let F be a subset of 
the free variables of a. Then for any ^ grounding V consistent with 9' , 9 : 9'^ 
in the conservative semantics. 



Proof 

See Appendix 0. □ 
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We can now state and prove the witness properties mentioned in the Introduction 
for the conservative semantics. First, we define more precisely what we mean by 
success and failure. 

Wc say that a goal G succeeds (in the conservative semantics) if there is a com- 
putation with a conclusion of the form () : G =^ 9' . We say that a goal G fails if 
there is a computation with a conclusion of the form () : (7 fail. 

Theorem 7 ( Witness Properties of the Conservative Semantics) 

(1) If a goal G succeeds, then some ground instance of G succeeds. 

(2) If a goal G fails, then any ground instance of G fails. 

Proof 

(1) If G succeeds, this means there is a 9' such that () : G 6' . Let a be the 

substitution which substitutes all free variables of G9' by 0. Let ^ be the substitu- 
tion which substitutes any variable x G FV{G) by x9'a. Then ^ grounds FV{G) 
consistent with 9' . By the General Success Property, we have that () : G^ => 0'^. 
Thus the ground instance of G succeeds. 

(2) If G fails, then () : G =^ fail. By the General Failure Property, for any ^, 
including those grounding all variables in FV{G), we have that () : G^ ^ fail. 
Thus all ground instances of G fail. □ 

5.3 Implementation Issues 

In this section, we discuss some implementation-related issues. We show that the 
conservative semantics retains the desirable first-solution behaviour of the Prolog 
hard cut. We also discuss the possibility of turning the mode restriction of the 
conservative semantics into a static rather than a dynamic one. 

5.3.1 First Solution Behaviour 

When we have a formula of the form G), the conservative operational 

semantics allows the x variables to pass on to G, and allows free variables other 
than a; in G; however, only the first successful substitution for x is passed on. The 
conservative semantics therefore still allows the useful "first solution" behaviour 
which if has inherited from cut. 

For an example of this behaviour, consider the following problem. We define an 
association list as a list of terms of the form a{k,j), where fc is a key and j is a value 
associated with it. A problem commonly encountered in symbolic programming is 
to extract the first value (and only the first value) associated with a key in an 
association list, which is taken as the "current" value of the key. We can write the 
standard logic programming "member" predicate as 

m{x, y) :- 3yh3yt{y = {yh\yt]k{x = yhV m{x, yt))) 

and then write a predicate which solves the first-value problem as follows: 

v{x,y,z) :- if[w]{m{a{y,w),x),z = w) 
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Computation of m subgoal: 



[yh := a{b, 0), yt := [a{b, 1)], w := 0] : e ^ [w := 0] 
[yh ■- a{b, 0), yt ■- [a{b, 1)]] : a{b, 0) = a{b, w) ^ [w := 0] 
[yh := a(b,0),yt ■- [a{b,l)]] : a{b,0) = a{b, w) W m{a{b, w),[a{b,l)] ^ [w := 0] 
: [a{b, 0), a{b, 1)] = (i/fe = a{b, w) V m(Q(&, w), yt) ^ [w —"of 

: [a{b,0), a{b, 1)] = [yh\yt]k{yh = a(6, ■«;) V m(a(6, w;), j/t) [w ■- 0] 
: ^yt{[a{b, 0), a(6, 1)] ^ [yh\yt]&L{yh = a{b, w) V mjajb, w), yt))) ^ [w ~ 0] 
: 3yh3yt{[a{b, 0), a{b, 1)] = [yh\yt]k{yh = a(6, ■«;) V m(a(6, w), yt))) [uj := 0] 
: m{a{b, w), [a{b, 0), a{b, 1)]) ^ [w := 0] 

Successful computation: 



(see above) [ui 0, z := 0] : e => := 0] 



: m{a(b, w), [a{b, 0), a(b, 1)]) ^ := 0] [w- 0] : z ^ ^ [z := 0] 

: tf[w]{m{a{b, w), [ajb, 0), a(&, 1)]), z ^ w) ^ [z ~ 0] 
: vi[aib,0),a{b,l)],b,z) => [z ~ 0] 

Failing computation: 

(see above) 



: m{a{b,w),[a{b,0),a{b,l)]) ^ [w := 0] [«; := 0] : 1 = ^ fail 

() : if [w]{m{a{b,w),[a{b,0), ajb, !)]),! = w) ^ fail 
i):v{la{b,0),a{b,l)],b,l) ^ fail 

Fig. 11. Examples showing first-solution behaviour of conservative semantics. 
(Some substitutions are simplified for clarity.) Top: a computation returning the 
first solution to a call to the membership predicate. Middle: a computation show- 
ing that the first solution is selected by if. Bottom: a computation showing that 
subsequent solutions are not selected by if. 

The predicate call v{x, y, z), where x is an association list, y is a key, and z is any 
term, succeeds iff z is the first value associated with y in x. 

The query v{[a{b,0), a{b,l)], b, z) to this program should result in the binding 
[z := 0], since this is the first value returned by m as associated with the key b in the 
list. However, the query u([a(6, 0), a(6, 1)], &, 1) to this program should fail; even 
though the value 1 is associated with b later in the list, if should select only the 
first solution. Figure ^ shows that this is indeed the behaviour of the conservative 
semantics. 

We could evidently get closer to the liberal general semantics by allowing the first 
subformula of the if to be computed with free variables, as long as those variables 
do not get bound in the course of the computation, as suggested by one of Dahl's 
negation strategies ( Dahl, 1980| ) and Di Pierro et al. (Pierro et al, 1995). Since this 



would complicate the operational semantics and our analysis, we have decided to 
stick with the conservative semantics as given. 



5.3.2 Static Analysis 



The conservative operational semantics restricts the behaviour of the logic program- 
ming system by essentially enforcing mode checks at run time. However, we do not 
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believe that there is any obstacle to doing static mode checking (see for example 
( parbuti fc Martelh, 1990| ; [Apt fc Marchiori, 1994^ pabbrieUi fc Etalle, 199^ ) in 



order to catch programs at compile time which could result in floundering goals. 



(In (Andrews, 199£), a static analysis scheme is proposed which does a fine-grained 
analysis in order to reject as few programs as possible, at the expense of some 
complexity.) 

Because the conservative semantics behaves identically to the liberal semantics 
on non-floundering goals, and because the liberal semantics characterizes Prolog, 
we believe that an implementation of flrm cut is achievable simply by imposing 
static mode restrictions on a conventional logic programming system. For the sake 
of brevity, we do not explore this issue further here, but assume in the rest of the 
paper that such a static analysis system is possible. 



6 The Abstract Semantics 



In this section, we present an abstract semantics for the conservative operational 
semantics. The abstract semantics does not reify such notions as substitution se- 
quence and unification; rather, the central element of the semantics which deals 
with free variables is the interpretation of the existential quantifier by a valuation 



function of the same form as those of classical truth theory (Kripke, 1975; Fitting, 



1985). This suggests that the conservative semantics and firm cut have a deeper 
connection to logic than simply permitting some logical computations. 

The abstract semantics is in the UNV (unfolding-normal-form-valuation) style 



(Andrews, 1997), and it depends on the witness properties to achieve soundness 



and completeness. In UNV semantics, we associate a truth value to a goal; the truth 
value can be described as the maximally defined truth value among the valuations 
of the normal forms of the unfoldings of the goal. We doubt that it is possible to 
give such a semantics for the liberal semantics and thus for Prolog with hard cut, 
due to those systems' failure to achieve the witness properties. 



We begin with an overview of UNV semantics in Section 6.1 containing some basic 
definitions, including that of an (operational) outcome of a goal G with respect to 
a program P, outcomep{G). Section |6.l| also contains a "roadmap" of the series of 



results that follow, referred to as the "raising lemmas". In Sections 3.2 through 3.5 
we proceed, through the raising lemmas, to systematically raise the characterizing 
expression for outcomep{G) to greater and greater levels of abstraction, until all 
operational notions have been abstracted away. 

Finally, in Section |6.5| , we link the previous raising lemmas into a final char- 
acterization of outcome of a general goal with respect to a program, and give an 
expression describing the abstract denotation of a program. We conclude with an 



example, in Section 6.6, and some discussion in Section 6.7 



In this section, whenever we refer to a program P and a goal G, we assume that 
G does not yield the flounder result. It may also be possible to characterize the 



flounder result, as in, for instance, (Andrews, 1997). However, for simplicity, here 
we assume that programs will be subject to a static analysis which excludes those 



able to generate such a result, as discussed in Section 5.3.2 
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Original goal ^ G 



Unfoldings 



DFNFs 



Truth values 



Maximally defined 



dfnf 




Fig. 12. Diagram of the basic notions of UNV (unfolding- normal- form- valuation) 
semantics. 

6. 1 UNV Semantics 

Here we give an overview of UNV semantics and some basic definitions which will 
be used throughout the section. We also give a "roadmap" of the results which will 
be proven. 



6.1.1 Overview 

The UNV semantics given here is based on six basic notions: 

• The three truth values T, F and U, or "true", "false", and "undefined". 

• The definedness ordering on truth values, which ranks T and F as being more 
defined than U. 

• The alethic or truth ordering on truth values, which ranks U as "more true" 
than F and T as "more true" than U. 

• The unfoldings of a goal, which are the formulas obtained from the goal by 
expanding zero or more predicate calls, possibly repeatedly. 

• The depth-first normal form, or DFNF, of a goal, which is a formula closely 
related to the disjunctive normal form (DNF) of the goal. 

• The valuation v{G) of a goal G in DFNF, which is a compositional function 
from formulas to truth values. 

The last three of these will be given more precise and detailed definitions in the 
course of this section. 

A schematic diagram of the basic notions of UNV semantics is contained in 
Figure |l^. Given a goal G, we consider all the (possibly infinitely many) unfoldings 
Gi, G2, Gs, . . . , G„, . . . of the goal. Then, we find the DFNFs of all the unfoldings, 
resulting in the normal- form goals G{, Gj, G3, . . . , G^, We apply the valuation 
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function v to the normal-form goals, getting a set Vi, V2, V^, . . . , Vm ■ ■ ■ oi truth 
values, each of them equal to either T, F , or U . (The alethic ordering of truth 
values is used to compute the valuation of existentially-quantified goals.) There 
will be one unique maximally defined truth value in this set; this will be taken as 
the truth value of the original goal G. 



6.1.2 Outcomes of Goals 

When we evaluate a goal in a logic programming system, we expect to receive a 
substitution (if one exists) as the result of the evaluation. However, when we prove 
properties of logic programs, we are more interested in proving whether a general 
pattern of goals succeeds or fails; we are less interested in obtaining substitutions, 
because there may be a different substitution for each different instance of the 



pattern. Hence, in this paper (as in (Andrews, 1991; Andrews, 1997; Stark, 1998)) 



we take the "observable" of interest to be whether a goal succeeds, fails or diverges, 
linking these observables to the truth values T, F and U respectively. 

We therefore define the outcome of a goal G with respect to P, outcomep{G), as 
follows. 

• If there is a 6' such that (() : G 9') in the conservative operational 
semantics, then outcomep{G) = T. 

• If (0 : G =^p fail) in the conservative operational semantics, then 
outcomep{G) = F. 

• Otherwise (i.e., if there is no result p such that (() : G =>p p) in the conser- 
vative semantics), then outcomep{G) — U . 

This notion of outcome will be what is characterized by the abstract, UNV seman- 
tics. 

For use in the raising lemmas, we will also need the closely-related notion of 
"pessimistic outcome" outcome^ [G) of a goal G. This is what the outcome of G 
would be, independent of the program, if we were to pessimistically assume that 
all predicates in the program would diverge (result in infinite computations). This 
notion will be defined more precisely below. 



6.1.3 Roadmap 

Here we present a guide to the characterization results that follow. The sequence 
of raising lemmas we will prove will be as follows: 

1. The outcome of a goal G with respect to a program P can be obtained by 
inspecting all the pessimistic outcomes of all the unfoldings of G, and taking 
the maximally defined one. {outcomep{G) = maxk{{outcome'^ (G')\G' is an 
F-unfolding of G}).) 

2. The pessimistic outcome of a goal G is the same as the pessimistic outcome 
of its depth-first normal form. {outcome^{G) — outcome'^ {dfnf (G)) .) 

3. The pessimistic outcome of a goal G in depth- first normal form can be char- 
acterized by a compositional valuation function (function from goals to truth 
values), V. {outcome''" {G) = v{G).) 
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4. Putting the previous three raising lemmas together, the outcome of G with 
respect to P, outcomep{G), can be alternatively characterized by the expres- 
sion maxk{{v{dfnf {G'))\ G' is a P-unfolding of G}). 

This final result gives an abstract view of the meaning of a program, which allows 
us to define the program's denotation, concluding the characterization. 



6.2 Unfoldings and the Pessimistic Semantics 

In this section, we define the notion of unfolding of a goal, and also define the 
pessimistic operational semantics, which treats all predicates as being divergent. 
We then show how the two notions are related by proving that every terminating 
goal has some unfolding which terminates even in the pessimistic semantics. This 
property is useful because it allows us to abstract away (into the notion of unfolding) 
all consideration of the program, and concentrate on characterizing outcomes under 
the program-independent pessimistic semantics. 

We then draw upon the standard notion of dcfinedness ordering of truth values in 
order to get a succinct characterization of this relationship. The section concludes 
with the first raising lemma. 



6.2.1 Unfoldings 

Informally, an unfolding of a goal is the goal after some predicate calls are replaced 
by the corresponding predicate bodies, possibly repeatedly. The notion comes origi- 
nally from Burstall and Darlington's corresponding functional programming notion 



(Burstall & Darlington, 1977), and is analogous to Tamaki and Sato's notion of 



unfolding of a program (Tamaki fc Sato, 1984). Unfoldings are also used in the 



unfolding semantics of Gabbrieli and Levi ( Gabbrieli &: Levi, 1992 ), and in other 
semantics such as Etalle's for modular general logic programs ( lEtalle, 199^ ). 

More formally, given a program P in completed form, a formula G' is a 1-P- 
unfolding of G if it is G with one occurrence of p(ti, . . . , f„) replaced by B[xi :— 
ti, . . . ,Xn tn], where (^(2:1, . . . , a;„) : - 5) is a definition in P . A formula G" is 
a P-unfolding of G if it is either G itself, or a f-unfolding of a l-P-unfolding of G. 
We will drop the program name P when it is unimportant or clear from context. 
Clearly, the P-unfolding operation, seen as a rewriting, is confluent. 

For instance, let the program P consist of the definitions {q :- r) and 
{p :- qkp). Then the goal G = {qV p) has two 1-F-unfoldings, namely (r V p) 
and {q V (q&^p)). G has an infinite number of F-unfoldings, including G itself, its 
two l-f-unfoldings, and other unfoldings such as (r V (g&(r&p))). 

We define a P-unfolding of a sequence Gi, . . . , Gn of formulas as any sequence 
G'l, . . . , G!^ of formulae in which G'^ is a F- unfolding of Gi, for all 1 < i < n. 



34 



James H. Andrews 



rred: g . p(^ti, . . . , t„), a diverge 

Fig. 13. The predicate rule for the pessimistic semantics, the only rule in the 
[Pessimistic Predicates] fragment. 

6.2.2 The Pessimistic Semantics 

If we unfold a succeeding or failing goal enough, we obtain a goal which succeeds 
or fails without doing any predicate expansions. A divergent goal, however, cannot 
be unfolded to a point where it succeeds or fails without predicate expansions. 

These facts suggest the following analytical framework. We define an operational 
semantics, the pessimistic semantics, which returns the result diverge on any predi- 
cate call. We can then characterize a successful goal as one with an unfolding which 
succeeds in the pessimistic semantics, a failing goal as one with an unfolding which 
fails in the pessimistic semantics, and a divergent goal as one with no unfolding 
which returns anything but diverge in the pessimistic semantics. 

To this end, we define the pessimistic operational semantics as being made up of 
the the operational semantics fragments [Basic], [Conservative Choice], and [Pes- 
simistic Predicates], where the latter fragment consists of the single rule shown in 
Figure Note that the rules in [Basic] and [Conservative Choice] are described in 
such a way that they pass on the diverge outcome. Thus, as soon as a predicate call 
is encountered in the course of computation, the pessimistic semantics effectively 
assumes that the computation will diverge. This means, for instance, that if there 
is a predicate call in a goal G to the left of the first disjunction in G, then G will 
diverge according to the pessimistic semantics. 

We define the pessimistic outcome of a goal G, outcome'^ ( G), as follows. 

• If there is a 6*' such that (() : G 6') in the pessimistic operational semantics, 
then outcome'^ (G) — T. 

• If (0 : G =^ fail) in the pessimistic operational semantics, then 
outcome"^ (G) = F. 

• Otherwise (i.e., if (() : G diverge) in the pessimistic semantics), then 
outcome'^ (G) = U. 

Note that the program P is irrelevant to the pessimistic semantics, and that all 
computations in the pessimistic semantics are of bounded size because predicate 
calls are not expanded. 

6.2.3 Results 

Here we show the relationship between unfoldings and the pessimistic semantics. 
Theorem 8 

Let : a p in the conservative semantics. Then some P-unfolding a' of a is 
such that 9 : a' p in the pessimistic semantics. 

Proof 
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Fig. 14. Hasse diagrams of the "definedness" ordering <k (left) and the "truth" 
ordering <t (right) of truth values. 

By induction on the strncturc of the conservative computation. Cases are on the 
bottommost rule, and all cases follow trivially from the induction hypothesis except 
the case in which the bottommost rule is a Pred rule. In this case, one additional 
predicate unfolding is necessary to obtain a' from the a' of the induction hypothesis. 



The converse of the above theorem is also the case: 
Theorem 9 

Let some P- unfolding a' of a be such that : a' p in the pessimistic semantics, 
where p is not diverge. Then : a =>p /? in the conservative semantics. 



By induction on the number of 1-P-unfoldings needed to derive a' from a. The 
base case (0 unfoldings) is trivial. For the inductive case (n unfoldings), let a" be 
a 1-P-unfolding of a such that a' is a P-unfoIding of a" after n ~1 unfoldings. By 
the induction hypothesis, : a" =>p p in the conservative semantics. 

It remains to prove that 6 : a =^p p as well. We do this by induction on the 
structure of the a" computation. The cases are on the bottommost rule applied. 
In all cases, if a starts with a predicate call and a" is derived from it by unfold- 
ing that call, then the computation of a can be derived from that of a" by just 
adding an application of Pred. Otherwise, all cases follow directly from one or more 
applications of the induction hypothesis. □ 

This property of predicate unfoldings and the pessimistic semantics will be use- 
ful for the rest of the paper, because it allows us to abstract away from the un- 
bounded computations of the non-pessimistic semantics and consider only the sim- 
pler, bounded computations of the pessimistic semantics. 



The following definitions and theorem makes the connections between unfoldings 

and the pessimistic semantics more precise and concise by allowing us to give an 
expression corresponding to the outcome of a goal in terms of its pessimistic out- 
come. 



□ 



Proof 



6.2.4 The Definedness Ordering 
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We define the definedness ordering <a; on truth values as the least partial order 
relation such that U <k T and U <k F (see Fi gure Th is is a standard 



ordering for these three truth values; see for example (Bclnap, 1977). The expression 
maxk{S), where 5 is a set of truth values, is undefined if { T, F} C S , and otherwise 
is defined as the unique truth value V such that W <k V for all W G S. 
Finally, we give the first raising lemma. 

Lemma 6 {Raising Lemma 1 ) 

For any goal G, maxk{{outcome'~'{G')\G' is a P-unfolding of G}) is well-defined 
and equal to outcomep{G). 

Proof 

Let the set S of truth values be {outcome'^ {G') \ G' is a P-unfolding of (?}. First 
assume that outcomep(G) ~ T. By Theorem ^, T G 5"; however, if F e 5", then by 
Theorem^, outcomep{G) — F, a. contradiction. Therefore maxk{S) is defined and 
must be T. Similarly, if outcomep{G) = F then maxk{S) is defined and equal to 
F. If outcomep{G) = U, then it cannot be the case that T E S or F ^ S, because 
otherwise, by Theorem^, outcomep{G) ^ U. Therefore S = {U}, and maxk{S) is 
defined and equal to U. □ 



6.3 Depth-First Normal Form 

We now turn to the notion of depth-first normal form (DFNF) in order to increase 
the level of abstraction of the semantics. The DFNF of a formula G is a formula 
which is operationally equivalent to G but whose outcome can be given a composi- 
tional characterization. In this section, we first define a term-rewriting system which 
rewrites formulas into formulas. Wc then prove that the system is locally confluent 
and terminating, and that it transforms every formula to a unique normal form 
(which we define as the DFNF). We then prove that each of the transformations 
of the rewriting system preserves pessimistic outcome. The conclusion is that each 
goal has a unique DFNF which has the same pessimistic outcome as the original 
goal. 

The DFNF by itself does not directly raise the abstraction level of the semantics; 
however, it puts a goal in a form which can be given an abstract characterization, 
as we will see in the next section. The conclusion of this section is therefore referred 
to as the second raising lemma. 



6.3.1 Term- Rewriting System 

The notion of DFNF, which is closely related to the notion of disjunctive normal 
form (DNF), was introduced in ( Andrews, 1997 ). Here we expand the notion to 
take account of if formulas. 

The classes of negated- disjunction (iV) and outer- disjunction (O) formulae are 
defined mutually recursively as follows. (Informally, an formula has Vs directly 
inside only -is or other Vs.) 

N ::= p(ii, ...,tn)\s^t\ NkN \ 3xN | 
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Rl (5i V B2)&C o (5i&C) V (B2&C) 

R2 _B&(Ci V C2) > (B&Ci) V (B&C2), where B is negated-disjunction 
R3 3x(Bi V 52) [> (3a;Bi) V (3a;B2) 

R4 V B2), C) [> C) V (^(3fBi)&«/[f](B2, C)) 

R5 if[x\{B, C) [> 3a;(_B&C), where B is negated-disjunction 

Fig. 15. The rules of the term-rewriting relation O. 



O ::= N\Oy 

For example, p V (3a;(g(x))&r) is an outer-disjunction formula but not a negated- 
disjunction formula; however, -i{pW {3x{q{x))^i:r)) is a negated-disj miction formula 
and thus automatically an outer-disjunction formula. 

The notion of depth-first normal form is based on the five rules R1-R5 of the 



term-rewriting relation [> (Figure 15), which can be applied anywhere in a formula 
to rewrite it into another formula. Two of the rules refer to the notion of a negated- 
disjunction formula. We define a formula to be in depth-first normal form if none 
of R1-R5 can be applied anywhere in the formula. 

For example, the formula if[x\{x ~ Q,p{x) V q{x)) can be rewritten by one ap- 
plication of R5 to 3x{x — 0&(p(a;) V q{x))), and then by one application of R2 to 
3x{{x = Qk.p{x)) V (x = Qk,q{x))). It can then be rewritten by one application of 
R3 to 3x{x = Qk,p{x)) V 3x{x = Qkq{x)). None of the rules R1-R5 apply to this 
latter formula, so it is in depth-first normal form. 



6.3.2 Local Confluence and Termination 

To prove that the rewriting process always leads to a single formula, we prove local 
confluence and termination of this rewriting system. The proofs are contained in 
Appendix 

Theorem 10 [Local Confluence of Rewriting System) 

If ^ O ^1 and A \> A2, then there is an A3, such that Ai \>* A3 and A2 >* A3. 
Proof 

See Appendix 0. □ 

In preparation for proving termination of the rewriting system, we define the 
depth d{G) of a formula G. It is the conventional notion of depth of a formula, 
expanded to take account of if. 

rf(s = t) = d{p{ti,...,tn)) = 1 

d{BkC) = d{B V C) = max{d{B), d{C)) + 1 
di^B) = d{3xB) = d{B) + l 
dlif[xi,...,Xn]{B, C)) = max{d{B), d{C)) + 1 
We also define the maximum potential depth pd{G) of a formula G. This is the 

depth that the formula might possibly attain after repeatedly being transformed 

with R1-R5. 
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pd{s ^ t) = pd{p{ti, . .. , tn)) = 1 

pd{BkC) pd{B \J C) = max{pd{B),pd{C)) + 1 

pd{-^B) = pd{3xB) = pd{B) + 1 

pdlif[xi,...,Xr,]{B, C)) = n + 2pd{B) + max{pd{B),pd{C)) 
Clearly I < d{G) < pd{G) iov all formulas G. 

The main lemma we need for termination is to prove that each application of 
R1-R5 maintains or decreases potential depth. 

Lemma 7 

If G o G', then pd{G) > pd{G'). 
Proof 

See Appendix ^ □ 

Theorem 11 [Termination of Rewriting System) 

For every G, there is an integer j such that for every sequence of formulas G = 
Go, Gi, G2, ■ • ■ , Gfc such that Gi l> G^+i for all 1 < z < A;, we have that k < j. 

Proof 

Each of the rules R1-R5 increase the number of connectives in the formula, where 
if is counted as one connective. However, the Lemma shows that the depth of the 
resultant formula is bounded by pd{G). Since the formula tree has a bounded depth 
and bounded branching factor, there is a limit j to how many nodes (connectives) 
it can contain. The rewriting process must stop at or before this limit. □ 



6.3.3 Unique Normal Form and DFNF 

Because of local confluence and termination, we are able to state the following 
corollary, which shows that every goal has a unique normal form under the rewriting 
rules R1-R5. 

Corollary 12 [Unique Normal Form) 

For every formula G not in normal form, there is a unique formula G" in normal 
form, such that for all G' such that G \> G', we have that G' O* G". 

Proof 

See Appendix 0. □ 

Because of this corollary, we are justified in making the following definition. The 
depth-first normal form of a formula, dfnf[G), is the unique formula G' such that 
G O* G' and there is no G" such that G' [> G". (For instance, the depth-first 



normal form of the example formula from Section 6.3.1, if[x][x — 0, p[x) V q[x)), is 
3x[x = OSzp[x)) V 3x[x = QS£q[x)).) Clearly, despite the complexity of the proofs 
of confluence and termination, we can obtain dfnf[G) in a straightforward fashion, 
by simply applying one of the rules R1-R5 to any suitable redex (say, the outermost 
one) until there are no more redexes. 

We also note that dfnf[G) is outer-disjunction, a fact which will be important 
soon. 
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Theorem 13 

For all G, dfnf{ G) is outer-disjunction. 
Proof 

If dfnf{G) were not outer-disjunction, it would have some disjunction as an imme- 
diate subformula of a conjunction, existential formula, or if formula. In all these 
cases, one of rules R1-R5 would apply. □ 



6.3.4 Outcome Preservation 

We now show that the depth-first normal form formation does not change the 
outcome of a goal under the pessimistic semantics. 

Theorem I4 {General Result Preservation of dfnf) 

If a' is a with some formulas transformed by applications of rules R1-R5, then 
: a => (0 in the pessimistic semantics iff : a' =^ p in the pessimistic semantics. 

Proof 

See Appendix 0. □ 

We can now give the second raising lemma, by showing the specific result that 
we wanted to obtain. 

Lemma 8 {Raising Lemma 2) 
outcome^ {G) = outcome^ {dfnf {G)) . 

Proof 

By Theorem |U, with respect to the pessimistic semantics, (() : G p) iff (() : 
dfnf{G) p). Therefore, with respect to the pessimistic semantics, G succeeds 
(fails, diverges) exactly when dfnf{G) succeeds (fails, diverges). □ 

Note that we have come one step closer to an abstract characterization of out- 
come, by reducing the problem of characterizing outcome of a general goal with 
respect to a general program to the problem of characterizing the outcome of an 
outer-disjunction goal with respect to the pessimistic semantics. 



6.4 The Valuation Function 

Finally we come to the definition of the valuation w, which characterizes the out- 
comes of outer-disjunction goals (e.g., goals in DFNF) with respect to the pes- 
simistic semantics. This valuation is a compositional function from formulae to 



truth values, like valuations in standard theories of truth (Kripke, 1975; Fitting 
|1985| ) , and interprets the binary connectives in a manner consistent with the left-to- 
right search algorithm of Prolog, v is based on the similar valuation in ( [Andrews" 



|1997| ). The valuation in that paper is on a domain of four truth values, but we need 
only three truth values here because we do not consider the flounder outcome. 

In this section, we first define the alethic ordering <t on truth values, and then 
the valuation function v which uses it. Then we show that the valuation of a goal 
in outer-disjunction form is the same as its pessimistic outcome. 
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6.4-1 Alethic Ordering and Valuation Function 

We define the alethic ordering <t on truth values as the least partial order relation 
such that F <t U and U <t T. (Se e Fig. Thi s is another standard ordering on 



these truth values; see for instance (Belnap, 1977).) The expression maxt{S), where 



v{B\/ C) = 



5 is a set of truth values, is defined as the unique truth value V such that W <t V 
for all W ^ S. The alethic ordering is used in the valuation function to express the 
meaning of 3a; G in terms of the meaning of the instances of G. 

V, a valuation function mapping ground, outer-disjunction (O) formulae to truth 
values in { T, U, F}, is defined as follows. 

• v{t = t)=T; 

• v{s = t) = F, where s is not identical to t; 

• vipih, • ■ • , tn)) = U; 
v{G) ifv{B)=T, 
v{B) otherwise; 

v{G) iiv{B)^F, 
v{B) otherwise; 

• v{3xB) = maxt{{v{B[x :— t])\t ground}); 

r F if v{B) = T, 

• v{^B) = < U if v{B) = [/, 

\ T \iv{B)^F. 

For instance, recall from Section ^ that true is the formula (0 = 0) and false is the 
formula (0 = 1). By the definition of u, we have that v{true) = v{Q — 0) — T , 
and v{false) — v{Q = \) = F , as expected. We also have that v{-^true) = F, 
v{trueSz false) = F, and v{false V true) = T. We have that v{false V p(0)) and 
v{truek,p{Q)) are both [/, but v{falseSzp{0)) — F and v{true\/p{0)) = T, consistent 
with how the pessimistic semantics would execute the formulas as queries. 

In fact, while v{0 = Q) — T, we have that v{s = 0) = F for any term s other 
than 0. Therefore the set {v{t = 0)\t ground} is the set {v{0 = 0)} U {v{t = 
0)\t ground and t ^ 0}, i.e. {T} L) {F}, or {T,F}. As a consequence, v{3x{x = 
0)) = {v{t = 0)\t ground} — T, since T is the maximally true truth value in the 
set {T,F}. 



6.4.2 Equivalence of Valuation and Pessimistic Outcome 

The valuation function v characterizes precisely the behaviour of outer-disjunction 
formulae with respect to the pessimistic semantics. In preparation for this result, we 
state a proposition which is a weaker form of the converse of the witness properties, 
applying only to N formulas. 

Proposition 15 

Let a be a sequence of negated-disjunction (A'^) formulas, such that : a p in 
the pessimistic semantics. Let F be a subset of the free variables of a. Then: 
(1) If for some substitution ^ grounding V consistent with 9, {6 : ^ 6') in the 
pessimistic semantics, then p is some 9" . 
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(2) If for all substitutions ^ grounding V consistent with 0, [9 : ^ fail) in the 
pessimistic semantics, then p is fail. 

The fragment of the pessimistic semantics dealing with negated-disjunction formu- 



las is identical to the fragment of the semantics of (Andrews, 1997) dealing with 
negated-disjunction formulas with respect to the empty program. The proof of this 
Proposition is thus a simple adaptation of the proof of Lemma 4.5 from ( [Andrews 



1997). Intuitively, the Proposition applies only to formulas because instantiating 
an N formula will either cause it to fail or will not change the outcome its computa- 
tion. In contrast, for example. By C may diverge because B diverges, but BOW C9 
may succeed because B9 fails and C9 succeeds. We cannot draw any conclusions 
about the behaviour oi B \J C from the behaviour of its instances. 

We are now in a position to state the third raising lemma, continuing our process 
of abstraction. Note that this lemma relates an operational notion (pessimistic 
outcome) to an entirely abstract one (valuation). 

Theorem 16 {Raising Lemma 3) 

If G is ground and outer-disjunction, then v{G) = outcome''' {G) . 
Proof 

By induction on the structure of G. Cases are on the outermost connective. We 
note only the three subcases of the case in which G = 3xB. 

If outcome'^ (G) = T, there must be some 9' such that (() : 3xB 9') in 
the pessimistic semantics. In this case, we also have that (() : B[x :— x'] =^ 9'), 
and by the witness properties, there must be some ground t and 9" such that 
(0 : B[x := x'][x' := t] =^ 9"). Thus for some <, outcome''^ {B [x := t]) = T. By the 
induction hypothesis, v{B[x := t]) = T; and by the definition of maxt, v{G) = T. 

If outcome"^ (G) — F, then (() : 3xB => fail) in the pessimistic semantics. In this 
case, we also have that (() : B[x := x'] => fail), and by the witness properties, for all 
ground t, (() : B[x := x'][x' := t] ^ fail). Thus for all t, outcome'^ {B[x :— t]) — F. 
By the induction hypothesis, v{B[x := t]) = F; and by the definition of maxt, 
v{G) = F. 

Otherwise, outcome'^ (G) — U. By Prop. |l^, there cannot be any t such that 
outcome'^ {B[x := t\) = T, because otherwise outcome'^ (G) would be T; and again 
by Prop. |l5|, it cannot be the case that for all t, outcome'^ {B [x := t]) ~ F, because 
otherwise outcome'^ (G) would be F. Thus for some t, outcome'^ {B[x := t]) ~ U , 
so the set {v{B[x := t]) \ t is ground } of truth values is either { [/} or { [/, F}. Thus 
by the definition of maxt, v(G) — U . □ 



6. 5 The Denotation of a Program 

In this section, we give the final raising lemma which summarizes the previous 
ones. This lemma gives an expression which is an abstract characterization of the 
outcome of a goal; we therefore give a definition of the denotation of a program 
which uses this expression. 

Lemma 9 {Raising Lemma 4) 
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For any ground goal G, 

outcomep{G) — maxk{{v{djnj {G')) \ G' is a P-unfolding of G}). 
Proof 

By Raising Lemma 1, outcomep(G) — maxk{{outcome'^{G')\G' is a P-unfolding 
of G}). By Raising Lemma 2, outcome'"" {G') — outcome'^ {djnf {G')) for any G'. 
But by Theorem [T^, dfnf(G') is in outer-disjunction form for any G'; therefore by 
Raising Lemma 3, outcome'^ {dfnf {G')) — v{dfnf{G')). Putting this all together, 
we conclude that outcomep{G) — maxk{{v{dfnf {G')) \ G' is a P-unfolding of G}). 
□ 

We therefore make the following definition. The denotation vp of a program P is 
a valuation function defined by: 

vp{G) — maxk{{v{dfnf{G'))\G' is an unfolding of G}). 

We have the following trivial theorem. 

Theorem 17 (Denotation) 

For any ground goal G, outcomep{G) = vp{G). 
Proof 

By Raising Lemma 4 and the definition of wp. □ 

Note that the restriction to ground goals does not decrease the generality of the 
denotation result, since a goal G with free variables x has the same outcome as the 
goal 3xG. 

6.6 Example 

As a further example of how the denotation of a program defines the correct truth 
value of a goal, we derive the value obtained by applying the denotation of a program 
to a goal. 

Let the program P be the second "delete" program from Section |l]: 

d{x,y,z) :- 
{y^[]kz = []) 

V if[ys]{y ^ [x\ys], d{x, ys, z)) 

V {^3ys{y = [x\ys])k 

3y'3ys3zs{y = [?/'|i/s]&z — [y'\zs]&zd{x, ys, zs))) 

Consider the goal G — 3zd{a, [], z). This goal asks whether there is a 2 which is 
obtained by deleting a everywhere from the empty list []. It has the outcome T 
in the conservative semantics, since there does exist a z, namely the empty list [] 
itself, which is obtained that way. 

We take as our objective to derive the value of vp{G). From the definition of vp, 
we have that vp{G) = maxk{{v{dfnf{G')) \ G' is an unfolding of G}). Let S be the 
set {v{dfnf{G'))\G' is an unfolding of G}; then up(G) = maxk{S). As discussed 
in the proof of Raising Lemma 1, if {[/, T} C 5", then P ^ 5; so if we can find one 
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unfolding of G whose DFNF valuation is U and another whose DFNF valuation is 
T, then we know S = {U, T}. 

In fact, we can find such unfoldings. The subsequent sections show that G itself 
is such that v{dfnf{G)) = U, and that the first unfolding Gi of G is such that 
v{dfnf{Gi)) = T. Hence vp{G) = maxk{S) = maxk{{U, T}) = T. 

First, we show that v{dfnf{G)) = U. Then, we find the expression for Gi and 
for dfnf{Gi). Finally, we show that v{dfnf{Gi))= T. 

6.6.1 v{dfnf{G)) = U 

G is 3z d{a,[], z). This formula contains no disjunctions or ifs, so none of the 
DFNF rewriting rules applies to it; hence dfnf{G) is G itself. By the definition of 
V, v{dfnf{G)) = v{G) = v{3z d{a, [], z)), which is the expression maxt({d{a, [], z) \ t 
is a ground term}); that is, the maximally true truth value amongst the valuations 
of all the formulas of the form d{a, [], i), where i is a ground term. 

However, by the definition of v, the valuation of any predicate call formula is U 
(since v correctly characterizes the pessimistic semantics). Hence m.axt{{d{a, [], z) \ t 
is a ground term}) = maxt{{ U}) = U. Since this was the expression for v{dfnf{G)), 
we have that v{dfnf{G)) = U. 

6.6.2 First Unfolding and its DFNF 

G is 3zd{a, [],z). The first unfolding of G, Gi, can be obtained by replacing the 
predicate call within it by the body of the definition of the predicate d, replacing 
formal by actual parameters. Therefore: 

Gi = 3z{ 

(0 = 0&^ = 0) 

V j/[2/s](0 = [a\ys],d{a,ys,z)) 

V {^3ys{[] = [a\ys])k 

3y'3ys3zs{[] = [y'\ys]&zz — [y'\zs]Kcd{a,ys, zs))) 

We abbreviate this formula as 32(G{ V G2 V (G3&G4)). 

The DFNF rewriting rule R3 can be applied twice to Gi, to yield the formula 

(3z(G;)V32(G^)V3z(G^&G^)). G^ is an formula, if[ys]{[] = [a\ys], dia, ys, z)), 
whose first subformula ([] = [a|2/s]) is a negated-disjunction formula; hence, the 
DFNF rewriting rule R5 can be applied to it, yielding the subformula G5 = 3ys{[] = 
[a\ys]Sid{a,ys, z)). At this point, no more of the DFNF rewriting rules can be 
applied to the formula, so it is in depth-first normal form. 
Hence, dfnf{Gi) = {3z{G{) V 3z{G^,) V 3^(G^&G^)), where: 

. G[ = i[] = []kz = []y, 

• =^ys{[] = [a\ys]kd{a,ys,z)); 

• G3 = ^3ys{[] = [a\ys]); and 

• G4 = 3y'3ys3zs{[] = [y'\ys]kz = [y'\zs]kd{a, ys, zs))). 
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6.6.3 v{dM{Gi))= T 

v{dfnf{Gi)) = ?;(32(G()V3z(G_^)V3z(G^&G4)). We can therefore obtain the value 
of v{dfnf{Gi)) by first obtaining the values of its disjuncts. By the definition of v, 
we have that v{3z{G[)) is the value of the expression maxt{{v{[] = = [])\t is 
a ground term}). The value of v{[] = []Szt ~ []) is T if the values of both v{[] = []) 
and v{t = []) are T, and it is F otherwise. However, v{[] = []) is always T; and 
v{t = []) is T if < is [], and otherwise is F. 

The set ~ []kt — is a ground term} therefore consists of the two truth 
values {T,F}. The maximally true member of this set is T; hence, v{3z{G[)) = 
maxt{{T,F}) = T. Now, dfnf{Gi) is of the form {3z{Gi) \/ H); so v{dfnf{Gi)) = 
v{3z{G{)\/H). By the definition of and because v{3z{G{)) = T, v{3z{G{)\/H) = 
T; hence v{dfnf{Gi)) = T. 

We conclude the example by reiterating the value of vp{G). Because 
v{dfnf{G)) = U and v{dfnf{Gi)) = T, the set {v{dfnfiG'))\G' is an unfold- 
ing of G} is just { U, T}. Therefore: 

vp{G) = maxk{{v{dfnf{G')) \ G' is an unfolding of G}) 
= maxk{{U,T}) 
= T 

This result accords with the fact that the original goal G did succeed under the 
conservative semantics. 

6.7 Discussion 

Note that the abstract semantics is based on six basic, relatively simple notions: 
the notion of truth value, the two ordcrings of the truth values, the notion of 
predicate unfolding, the notion of depth-first normal form, and the logical valuation. 
The notion of depth-first normal form, in turn, is based on a rewriting system 
of five rules. The predicate unfolding and normal form constructions essentially 
do local meaning-preserving transformations to prepare the goal in question for 
characterization, and the valuation actually performs that characterization. 

In some sense, the crucial element of the abstract semantics, the element which 
allows it not to reify such notions as substitutions and unification, is the 3 clause 
of the definition of v. Rather than view a variable operationally, as a placeholder 
in a term which at some future point can be replaced by another term, the 3 clause 
allows us to view it as a true variable ranging over a fixed domain of discourse. This, 
in turn, has been enabled by the witness properties of the conservative semantics. 
Without the witness properties, we would not have been able to prove that the 
value of v{3xG) could be derived directly from the consideration of the values of 
v{G[x := t]), for any ground t. Hence, the witness properties are useful not only 
from the point of view of intuitively justifying the behaviour of a logic programming 
system, but also on theoretical grounds. 
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7 Conclusions 

The main contributions of this paper are as follows. 

• We have defined an extension of Prolog with hard cut and negation as failure 
in which programs can provably be put in a convenient "completed" form. 
This completion has been achieved by using a variable-binding choice con- 
struct, if. 

• We have identified the witness properties as important properties intermedi- 
ate between the strict logicalness of pure Horn clause programming and the 
unrestricted freedom of typical Prolog implementations. 

• We have defined restrictions on the computation of extended programs which 
allow the resulting system to achieve the witness properties. We have referred 
to the resulting notion of cut as firm cut, insofar as it is intermediate between 
hard and soft cut. 

• We have defined an abstract semantics for the restricted system (taking depth- 
first termination, rather than universal termination, as its observable) , which 
uses the witness properties in order to avoid reifying the concepts of unifica- 
tion and substitution. 

Long investigations by the author have not resulted in any semantics for Prolog 
which allow the full range of behaviour of hard cut while rising in any meaningful 
way above the level of an operational semantics. We do not believe at this point that 
such a semantics is possible. We believe that the system with firm cut, as defined 
in this paper, is the best compromise yet found between the power of the hard cut 
and the logical rigour of the soft cut. We believe that the behaviours of hard cut 
excluded by firm cut are unlikely to be missed by Prolog programmers, and that the 
witness properties achieved by firm cut capture the core of programmers' desiderata 
about a logic programming system, even though they are not in complete harmony 
with logic. However, these are merely beliefs. We invite readers to decide whether 
they agree or disagree based on their experience. 

The more theoretically substantiated conclusions we draw from this work are as 
follows. 

• The widely-held view that features such as cut and negation as failure entirely 
destroy the declarative interpretation of logic programming systems seems to 
be too strong. While firm cut cannot be interpreted as a logical construct, 
the abstract semantics developed here suggest that a system with firm cut 
is more declarative than one with hard cut, while still retaining behaviour of 
hard cut which is useful in practice. 

• If a logic programming language docs not achieve soundness with respect to 
traditional logical interpretations, it might still be possible for it to achieve the 
witness properties. Given that practical, widely-used languages often imple- 
ment pragmatic features which depart from well-defined semantics, insisting 
on the witness properties might be an acceptable alternative to insisting on 
soundness with respect to first order logic. 

• The Prolog syntax and clause-based operational semantics is difficult to work 
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with in an abstract setting when taking cut into consideration. We have found 
it easier to study semantic issues with programs in "completed" program 
form, and the structured operational semantics, described in this paper. The 
syntax of the Mercury language ( ^omogyi ct al, 1996 ) is already closer to the 



completed form described here, since it uses an efficient "if" formula (though 
the "if" of Mercury corresponds to soft cut, not firm cut). 

There are several interesting open questions suggested by this research. 

• Are other "non-logical" features of Prolog able to be given a form which allows 
the witness properties to be preserved? Obviously there is no hope for the var 
and nonvar predicates, which check the instantiation of their arguments, but 
what about assert, retract, bagof , and so on? 

• What is the largest subset of the liberal general semantics with the witness 
properties? That is, can we define an operational semantics analogous to the 
conservative semantics, but with respect to which all goals with the witness 
properties do not flounder? The answer to this question may lie with different 
strategies for coping with negation. 

• Can a mode inference system be devised which ensures non-floundering of 
goals? That is, can we automate the process of deflning modes for a program 
that will guarantee that no goal consistent with the inferred modes of the 
program's predicates will flounder? 

We have implemented the ideas contained in this paper in an experimental proof 
assistant program called SVP (Spreadsheet Verifier for Prolog), whose user interface 
has been described in ( Andrews, 1998| ). SVP transforms a Prolog program with cuts 



into completed form, and then assists the user in proving theorems in an assertion 
language similar to those defined in (Andrews, 1991; Stark, 199^ ). We hope to 
report on this work in the future. 
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A Proofs of Results 
A.l Completion Algorithm Properties 

Lemma |l|. 

Let a he a goal stack. Let a' be a with any number of occurrences of a sequence B, C 
in a goal stacic or clause body replaced by BSzC, where B and C are formulas. Then 
{9 : a p) m the liberal general semantics iff {6 : a' =>p p) m the liberal general 
semantics. 

Proof 

By induction on the number of replacements of B, C by BSzC. The base case (0 
replacements) is trivial. For the inductive case, it suffices to demonstrate the case 
where a' is derived from a by one replacement of B, C by B&zC. This in turn we 
prove by induction on the structure of the computation of a. If a begins with B, C 
and a' begins with B&lC, then the computation of a' can be derived from that of 
a with one Conj step. Otherwise, either the first formulas in the two goal stacks are 
identical, or they have the same top-level connective; in either case, regardless of the 
bottommost rule applied, the result follows straightforwardly from the induction 
hypothesis. □ 

Lemma |^. 

Let P' be P with some sequence B, C in a clause body replaced by B&iC . Then : a =>p 
p in the liberal general semantics iff 6 : a p in the liberal general semantics. 

Proof 

By the Lemma, we can add new rules to the operational semantics as follows: 
e -.a'^pp 6:a^pp 

^ ' e-.a^p p ^ 'e -.a' ^p p 

where a' is a with any number of occurrences of a sequence B, C in a goal stack or 
clause body replaced by BhC. Moreover, by the Lemma, we can essentially insert 
applications of these rules anywhere in a computation and derive a computation of 
the premise from the computation of the conclusion. 

Therefore the {-^) direction of the theorem can be proven as follows. Given the 
computation oi 6 : a =^p p, insert an application of (1) above each Pred rule 
involving the clause transformed in P', obtaining the computation of the premise 
from the Lemma. The transformed proof will have sections of the form: 

9 : p{t)using{j'),a =>p p 
9 : p{t)using{j),a =>p p 
9 : p{t), a =^p p 

To obtain the computation oi 9 : a ^pi p, replace each such section by 

6 : p{t)using{'y'),a ^p' p 
9 : p{t),a p 

and replace P by P' everywhere else. The other direction of the theorem can be 
proven by inverting this operation. □ 
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Theorem |^. 

The completion algorithm preserves result according to the liberal general operational 
semantics. That is, if P' is the completion of P, then : a p in the liberal general 
semantics iff 8 : a p m the liberal general semantics. 

Proof 

We prove the theorem by proving that each of the transformations preserves result. 
In what follows, we will refer to the original program as P and the program after 
the single transformation in question as P' . 

Step 2.2: Clearly the two computations are equivalent up to a renaming of some 
of the variables involved in the computations. 

Step 2.3: It suffices to show that any application of any of the four using rules 
with P correspond to parts of computations with P'. Consider an application of the 
Using/nocut/succ rule with P, where the formula being considered is an application 
of predicate p. The bottommost portion of the computation is: 

6>g : ri^, =» 0' 



9 : {si = ti), . .. ,{sk = tk), .. .,{sn = Xn),r],a 0' 
9 : p{si, . . . , Sn)using{p{ti, . . . ,tk, . . ■ ,Xn) ■- r]),l),a =J> 9' 

where ^ is the substitution resulting from the unifications. With P', the bottommost 
portion of the computation is the following: 

9C ■■ ^ 0' 

6> : (si ^ ti), . . . , (sfc ^ Xfc), . . . ,{s„ = Xn), [xk = tk),ri,a => 9' 
9 : p{si,...,Sn)using{p{ti,...,Xk,...,x„) :- (xk = tk),7j),j), a =^ 9' 

where ^' is the substitution resulting from the unifications. However, by the proper- 
ties of unification, we can rearrange the equality formulas in the judgement second 
from the bottom to read: (si — ti), . . . , {xk = Sk), {xk = tk), . . . , (s„ = x„). This 
sequence makes it clear that the result substitution ^' is identical to ^. The cases 
of the other Using rules are proven similarly. 
Step 3: See Lemma || just before this theorem. 

Step 4: Let a be a goal stack, and let a' be a with the formula true inserted 
anywhere in a sequence of goal stack elements or body elements. Then {9 : a p) 
iS (9 : a' =>p p) , by a simple structural induction. We can then follow the same line 
of reasoning as in Lemma ^ to conclude that inserting true anywhere in a clause 
body preserves result. 

Step 5: When a clause with two consecutive cuts appears, instances of the 
Body/cut/succ rule will arise in which rji is empty; that is, a portion of some 
computations will be of the form 

9 : € ^ 9 9 : body{r]2), a ^ p 
9 : body{\,r]2),a p 
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where the Success rule has been used at the left-hand premise. When the program 
is transformed to remove the second cut, this portion of the computation will be 
replaced by the single judgement {9 : body{r]2),a p). 

Step 6: Sec Step 4 above. 

Step 7: See Step 4 above. 

Step 8: The original computation may have applications of the Body/cut/succ 
rules of the following form: 

e-.rji^ 6' 9' ■ body{r]2)9', aO' =» p 
9 : body{r]i,\,r]2),a p 

This part of the computation is replaced in the new computation by the following 
sequence: 

9[y := y'] -.m^O' 



9 : y = f My ■■= y'] 0' 9' :body{r]2)9',a9' p 

9 : q{y)using{q{y') :- rii[y := y'],\,r]2[y := y']),a ^ p 
9 : q{y),a =^ p 
9 : body{q{y)),a ^ p 

Note that the substitution [y := y'] has the effect of restoring 771, 772 to their original 
naming. We do not show [y := y'] elsewhere since the computations are equivalent 
up to renaming. 

The original computation may also have applications of Body /cut /fail, which are 
transformed similarly. 

Step 9.2: In computations with P, variables in the clause are renamed apart at the 
appropriate applications of the Pred rule. In computations with P', the y variables 
are bound and therefore not renamed apart. However, they become renamed apart 
in Exists rule applications above the application of the Using or Body rule in which 
they become part of the goal stack. 

Step 9.3: The original computation may have portions ending with applications 
of the Using/cut/succ rule, of the form 

9^:F^^ 9' 

: 9' : G9',a9' ^ p 

0:t = x,F =^ 9' 9' : body{G)9' , a9' ^ p 

9 : p{t)using{p{x) :- F,\,G),a=^p 

where ^ is the substitution resulting from the unification of t with x. (Without loss 
of generality, to avoid confusion, we assume that the free variables of the clause are 
diflferent from those in t and a, and do not require renaming apart.) The compu- 
tation with respect to P' will have this portion of the computation replaced by the 
following: 
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e^:F^^ 9' 9' : 0^9' =^ p 

9^:if[y]{F, G)^,a^ ^ p 



9:t = x,if[y]{F,G),a ^ p 
9 : p{t) using {p{x) :- if[y]{F, G)),a ^ p 

However, because the x arc distinct and different from the variables in a, is just 
a; and because 9' has arisen from 9^, ^9' = 9'. Thus the two judgements at the 
top of this portion of this computation are the same as the two at the top of the 
portion of the computation with respect to P. 

The original computation may also have applications of Using/cut/fail, which 
are transformed similarly. 

Step 10.2: The original computation may have portions ending in applications of 
the Using/nocut/succ rule, of the form 



9 : t = X, G,a ^ p 
9 : p{t)using{p{x) :- G;p{x) :- H),a.^ p 

where ^ is the substitution resulting from the unification of ? with x. (Again, without 
loss of generality we assume the free variables of the clauses are different from those 
of the conclusion.) The computation with respect to P' will have this portion of 
the computation replaced by the following: 

e^:G^,a^^p 



9C.3y{G)ta^^ p 
9^:3yiG)^V H^,a^^ p 



9 :t = x,3y{G) W H,a^ p 
9 : p{f)using{p{x) :- 3y{G) V H),a ^ p 

The topmost judgements of these portions of the proof are the same. 

The original computation may also have applications of Using/nocut/fail, which 
are transformed similarly. 

Step 10.3: The original computation may have portions ending in applications of 
the Using/cut/succ rule, of the form 

9^:F^^ 9' 

: 9' : G9',a9' ^ 9' 

WTT^I^T^W 9' : hody{G)9' ,a9' => 9' 

9 : p{t)using{p{x) :- F,l,G;p{x) :- H),a^p 

where ^ is the substitution resulting from the unification of t and x. (Throughout, 
we assume the variables of the clauses are distinct from the other variables in the 
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computation.) The computation with P' wiU have this portion replaced by the 
foUowing: 

e£,:F^=>e' 0' : G^e',a£,0' ^ p 
: if[y]{F, G)g V )fcg)e, ^ p 



9:t = x, if[y]{F, G) V ((^3^(F)fcg), p 
6 : p{t)using{p(x) :- if[y]{F,G)y{{-^3y{F)kH)),a^p 

As in Step 9.3, because of the way the substitutions were formed, the topmost 
judgements in this portion of the P' computation are the same as those at the top 
of the portion of the P computation. 

The original computation may also have portions ending in applications of the 
Using/cut/fail rule, of the form 

6>g : Hj, a^^ p 

e^: F( ^ fail : 

: 9:t = x,H,a^p 

6 : t ~ X, F ^ fail 6 : p{t) using {p{x) : - H), a ^ p 

9 : p{t)using(p{x) :- F,l,G;p{x) :- H),a^p 

where ^ is the substitution renaming the variables of the first clause apart, and ^' 
is the substitution resulting from the unification of t and x. The computation with 
P' will have this portion replaced by the following: 

0^: F^^ fail 



eC:3y{F)^^ fail : gg, < ^ p 

e^:FC^ fail 0^:^3y{F)C,H^,a^ ^ p 

ei:if[y]{F,G)S„ai^ fail OS, : {^3y{F)kH)taS, ^ p 

: if[y][F, G)e V [^3y[F)kH)^, ^ p 



9:t^x,if[y]{F,G)V{^3y{F)kH),a^ p 
e : p{t)using{p{x) :- , G) V {^3y{F)kH)),a p 

The three judgements at the top of this P' computation portion consist of two 
instances of one of the judgements at the top of the P portion, and one instance of 
the other one. 

Since all the individual transformations preserve result, we conclude that the 
entire transformation process preserves result. □ 

A. 2 Witness Properties of Conservative Semantics 

Lemma |^. 
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Let 9, a be such that {6 : a fail) in the conservative semantics. Then for any ^, 
(0 : => fail) in the conservative semantics. 

Proof 

By induction on the structure of the computation of (0 : a fail) . Cases are on 
the bottommost rule apphed. 

Unif/succ: Let a be the mgu found in the rule. If C ^ then and are 
identical, and the result follows from the induction hypothesis (IH). Otherwise, if 
and tS, have mgu a', then since ti is an mgu of s and i, there must be some ^' 
such that ^(t' = cr^'. The result then follows from the IH. Otherwise, and do 
not unify, and the computation fails with a single Unif/fail step. 

Unif/fail: If and had a unifier cr, then s and t would have a unifier ^a. Since 
s and t have no unifier, the computation of 6 : ^ fail also consists of just one 
Unif/fail step. 

Success: Cannot occur. 

Conj, Disj/nofail, Disj/fail: Directly from the IH. 

Exists: We have not required that the substitution ^ substitutes a term for x' . 
Therefore the result follows from the IH. 

Not/succ: B has no free variables, so the computation 6 : => fail is the same 
as that for 6* : 5 fail. 

Not/fail: Again, B has no free variables, so the computation of the left-hand 
premise is the same. The result then follows from the IH. 

Not/flounder, Not/sub: cannot occur. 

If/succ: We must prove that 9 : if[x]{B, C^), aS, ^ fail. {B has no free variables 
other than x, and if binds the variables x. We assume without loss of generality that 
dom{£^)r\{x} = 0.) For this, it suffices to prove that, for some 9' , 6 : B[x -.^ x'] ^ 9' 
(which it does by assumption), and that 9' : C£\x := x']9',a^ =J> fail. Because x' 
do not appear in the conclusion, C£,[x :— x']9' is the same thing as C[x := x']9'£^. 
The result therefore follows from the induction hypothesis. 

If/fail: B has no free variables other than the x variables, so the computation 
9 : B[x := x']£^ fail is the same as that for : B[x := x'] fail. By the 
hypothesis, this computation fails. 

If/flounder, If/sub: Cannot occur. 

Pred: Directly from the IH. □ 

Lemma |^. 

Let 6, a be such that a9 = a and 6 : a ^ 9' in the conservative semantics. Then 9' C 9. 
Proof 

By induction on the structure of the computation. The only rule which modifies the 
substitution in the judgements is the Unif/succ rule, which obviously produces a 
more specific substitution. All other cases are straightforward consequences of the 
induction hypothesis. □ 

Lemma |^. 

Let 9, a be such that 9 : a ^ 9' in the conservative semantics. Let V be a subset of the 
free variables of a. Then for any ^ grounding V consistent with 9', 9 : ^ 9'^ tn the 
conservative semantics. 
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Proof 

By induction on the structure of the computation. Cases are on the bottommost 
rule. 

Unif/success: Let a be the mgu found in the rule. By substitution monotonicity, 
any ^ grounding V consistent with 6' must also ground V consistent with a. Thus 
a^a is the same as aa^, and the result follows from the induction hypothesis (IH). 

Unif/fail: Cannot occur. 

Success: Trivial. 

Conj, Disj/nofail: Directly from the IH. 

Disj/fail: From the General Failure Property, we have that 6 : B^,a£^ => fail. 
From the IH, we have that 9 : C£^,a^ ^ 6*'^. The result follows in one Disj/fail 
step. 

Exists: Because V is also a subset of the free variables of B[x :— x'], the result 
follows from the IH. 

Not/succ: Cannot occur. 

Not/fail: Because B has no free variables, B^ is the same as B. The result follows 
from the original left-hand premise and from the IH. 
Not/flounder, Not/sub: Cannot occur. 

If/succ: We assume without loss of generality that dom{^) n {x} — 0. (We can do 
this because the x variables are renamed and thus can be prevented from appearing 
in 9'.) Wc must therefore prove that {9 : if[x]{B, C^),a^ => ^'O- -By assumption, 
9 : B[x := x'] ^ 9" for some 9". By the IH, 9" : C[x := x']9"C,a^ ^ 9'C 
By substitution monotonicity, ^ must ground V consistent with 9" as well. Thus 
C[x := x']9"£^ is the same as {CS,)[x := x']9" , and the result follows in one If/succ 
step. 

If/fail, If/flounder, If/sub: Cannot occur. 
Pred: Directly from the IH. □ 

A. 3 Depth-First Normal Form Results 

Theorem [lo| . 

If A O Ai and A > A2, then there is an A^ such that A\^ t>* A^ and A2 >* A3. 
Proof 

There are five cases, one for each of the rules R1-R5 applied to derive Ai from A. 
We will give only the argument for Rl, since the arguments for the rest are similar 
or simpler. We write ^[-Bi, . . . , B„] for a formula A with distinguished subformulas 
Bi, . . . , Bn, and A[Ci, . . . , Cn] for that formula with the distinguished Bi, . . . , B„ 
replaced by Ci , . . . , C„ . 

Let A be A[{Bi V B2)kC], and Ai be A[{BikC) V (B2&C)]. If A2 is derived 
from applying Rl to the same location, the result is trivially true. A2 cannot be 
derived from applying R2 to the same location, because {Bi V B2) is not negated- 
disjunction. A2 also cannot be derived from applying R3-R5 to the same location. 
We therefore have four subcases. In the first three subcases, A2 may be one of 
A[{B[ V B2)kC], A[{Bi V 5^)&C], or A[{Bi V B2)kC']. In the first subcase, one 
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step from either Ai or A2 wiU lead to A[{B[kC) V (i?2&C)]. The second subcase 
is similar. In the third subcase, two steps from Ai and one from A2 will lead to 
A[{BikC') V (52&C")]- The final subcase is when A can be written as A[{Bi V 
B2)kC,D], Ai is A[{BikC) V (Ba&C),!)], and A2 is A[{Bi V B2)kC,D']. In this 
case, one step from either Ai or ^2 wih lead to A[{Bik.C) V (B2&C'), D']. □ 

Lemma 0. 

// G > G', then pd{G) > pd{G'). 
Proof 

Clearly rules R1-R3 maintain potential depth; the difficult cases are R4 and R5. 

Case R4: If R4 was applied at the top level, then we have G = if[x]{{Bi V B2), C) 
and G' = C) V {-^{3xBi)ki}[x]{B2, C)). Let the length of x be n. Now we 

have that 

pd{G') = pd{if[x]{B^,C)y{^{3xB^)kim{B2,C)) 
= max{ pd{if[x\[Bi, G) + 1, 

pd{^{3xB^)kif[x]{B2, G)) + I) 
= max{ 1 + n + 2pd{Bi) + max{pd{Bi), pd{G)), 

pdi^i3xBi)Mf[x]iB2,G)) + l) 
= max{ l + n + 3pd{Bi),l + n + 2pd{Bi)+pd{G), 

pd{^i3xBi) + 2, 

pd{tf[x]{B2,G)) + 2) 
= max{ l + n + 3pd{Bi),l + n + 2pd{Bi)+pd{G), 

3 + n + pd{Bi), 

2 + n + 2pd{B2) + max{pd{B2),pd{G)) 

= max{ l + n + 3pd{Bi),l + n + 2pd{Bi)+pd{G), 

3 + n + pd{Bi), 

2 + n + 3pd{B2), 2 + n + 2pd{B2) + pd{G)) 
= max( l + n + 3pd{Bi),l + n + 2pd{Bi)+pd{G), 
2 + n + 3pd{B2), 2 + n + 2pd{B2) + pd{G)) 

There are now two subcases. Subcase 1: if pd{Bi) > pd{B2), then 

pd{G) = pd{tf[x]((BiV B2),G) 

= n + 2pd{Bi V B2) + max{pd{Bi V B2),pd{Gj) 

= n + 2 + 2pd(Bi) + max(l + pd{Bi), pd{Gj) 

= max{3 + n + 3pd{Bi), 2 + n + 2pd{Bi) + pd{G)) 

and pd{G') simplifies to max{l + n + 3pd{Bi), 1 + n + 2pd{Bi) + pd{G)). Thus if 
pd{G) > pd{Bi), we have 

pd{G) = {2 + n + 2pd{Bi) + pd{G)) > {l + n + 2pd{Bi) + pd{G)) = pd{G') 

and otherwise {pd{G) < pd{Bi)) we have 

pd{G) = (3 + n + 3pd{Bi)) > (1 + n + 3pd{Bi)) ^ pd{G') 



so in both cases, pd{G) > pd{G'). 
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Subcase 2: otherwise, pd{B2) > pd{Bi). We have: 

pd{G) = max{-i + n + ipd{B2),2 + n + 2pd{B2)+pd{C)) 

and pd{G') simphfies to max{2 + n + 3pd{B2), 2 + n + 2pd{B2) + pd{C)). Thus if 
pd{C) > pd{B2), we have 

pd{G) = {2 + n + 2pd{B2) + pd{C)) = {2 + n + 2pd{B2) + pd{C)) ^ pd{G') 

and otherwise {pd{C) < pd{Bi)) we have 

pd{G) (3 + n + 'ipd{B2)) > (2 + n + 3pd{B2)) - pd{G') 

so in both cases, pd{G) > pd{G'). 

Similarly, if R4 was apphed not at the top level, pd{G) > pd{G'), since if any 
subformula is transformed to have lower potential depth, the whole formula has 
lower potential depth. 

If R5 was applied at the top level, we have pd{G) = pd{if[x](B , C)) = n + 
2pd{B) + max{pd{B),pd{C)) = max{n+3pd{B), n+2pd{B)+pd{G)), and pd{G') = 
pd{3x{BkC j) = 1 + n + max{pd{B), pd{C)) = max{l + n + pd{B),l + n + pd{G)). 
Epd{B) > pd{C), then 

pd{G) = n + 3pd{B) > l + n + pd{B) = pd{G') 

and otherwise 

pd{G) = n + 2pd{B)+pd{C) > I + n + pd{C) = pd{G') 

Thus in both cases pd{G) > pd{G'). 

Similarly, if R5 was applied not at the top level, pd{G) > pd{G'). □ 



Corollary 12 



For every formula G not in normal form, there is a unique formula G" in normal form, 
such that for all G' such that G [> G' , we have that G" >* G" . 

Proof 

Let k be the length of the longest chain of rewritings that starts with G (by Theorem 
^ we know that this bound exists). We prove the corollary by induction on k. In 
the base case {k = 1), we know from Theorem ^ that there can be at most one 
unique G" such that G O G"; hence, G" is this G' . In the inductive case, if there 
is a unique G' such that G [> G' , the result follows from the induction hypothesis. 
If there is more than one, then for each pair Gi and G2 such that G [> Gi and 
G > G2, by Theorem |l^ there is some G3 such that Gi t>* G3 and G2 t>* G3. But 
by the induction hypothesis, there is some unique normal form not only of G3 but 
also of Gi and G2. Because Gi >* G3, the normal form of G3 must be the same as 
that of Gi, and similarly for G2. Hence all G' such that G > G' must have some 
unique normal form G". This therefore is the unique normal form of G. □ 



Theorem 



14 



If a is a with some formulas transformed by applications of rules R1-R5, then t 
in the pessimistic semantics iff : a' ^ p in the pessimistic semantics. 
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Proof 

By induction on the structure of the assumption computation. If the apphcation of 
the rules has not changed the top-level connective of the first formula in a, then the 
result follows by the induction hypothesis. Otherwise, we have cases according to 
which of R1-R5 was used to transform the top-level connective of the first formula. 

Cases R1-R3 are very similar to the proof in ( Andrews, 1997| ) and will not be 
repeated here. 

Case R4: The two computations are {6 : if[x{{Bi V B2), C),a p) and {9 : 
if[x]{Bi, C) V {-^{3xBi)k,if[x\{B2, C)),a p); we must show that each implies 
the other. There are several subcases. 

If {0 : Bi[x x'] ^ 9') and {9' : C9',a p), where p is either some 9" or 
diverge, then we have the following original computation: 

9: Bi[x := x'] 9' 



9 -.{BiW B2)[x := x'] ^9' 9' : C9',a =^ p 

9:if[x{{B^\J B2),C),a ^ p 

The corresponding computation with the transformed formula is: 

9 : Bi[x:^ x'] ^ 9' 9' : C9\a^ p 

9:if[x]{Bi,C)a ^ p 

9 : if[x]{Bi, C) V i^i3xBi)&zif[x]{B2, C)),a ^ p 

If {9 : Bi[x := x'] ^ 9') but {9' : C9\a =^ fail), then we have the following 
original computation: 

9 : Bi[x :== x'] ^ 9' 



9 -.{BiV B2)[x := x'] ^9' 9' : C9' , a ^ fail 

9 : if[x{{Bi V 52), C),a fail 

The corresponding computation with the transformed formula is: 

9 : Bi[x := x'] ^ 9' 



9 : 3xBi ^ 9' 

9 : -^{3xBi),if[x]{B2, C),a ^ fail 

9 : if[x]{Bi, C)a ^ fail 9 : {^{3xBi)&iif[x]{B2, C)),a =^ fail 

9 : if[x]{Bi, C) V (-(3f5i)&z/[f](52, C)),a ^ fail 

where the computation of the left-hand premise of the bottommost judgement is as 
follows: 

9 : Bi[x := f '] ^9' 9' : C9, a fail 

9 : if[x]{Bi, C)a fail 

We have very similar cases when {9 : Bi[x := x'] fail) but {9 : B2[x := x'] => 
9'), depending on the result of {9' : C9',a). 

When both {9 : Bi[x := x'] fail) and {9 : B2[x := x'] fail), we have the 
following original computation: 
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9 : Bi[x := x'] fail 9 : B2[x := x'] => fail 
9: {BiW B2)[x := x'] fail 



9 : if[x{{Bi V B2), C),a ^ fail 

The corresponding computation with the transformed formula is: 

9: Bi[x := x'] fail 

9 : if[x]{Bi, C),a ^ fail 9 : {^{3xBi)&^if[x]{B2, C)),a fail 

9 : if[x]iBi, C) V (-(3f5i)&z/[f](52, C)),a ^ fail 

where the computation of the right-hand premise of the bottommost judgement is: 

9 : Bi[x := x'] fail 

: 9 : B2[x := x'] ^ fail 

9 : 3xBi fail 9 : if[x]{B2, C),a fail 



9 : -^(3xBi),if[x]{B2, C),a ^ fail 
9 : i^{3xBi)K^if[x]{B2, C)),a =^ fail 

The subcases in which a result of diverge arises are similar to those in which a 
result of fail arises. 

Case R5: The two computations are {9 : if[x]{B, C),a =^ p) and {9 : 
3x{BkC), a ^ yo); we must show that one implies the other. We also know that 
B is negated-disjunction. There are two subcases. 

If {9 : B[x := x'] ^ 9'), then we have the following original computation: 

9 : B[x :^ x'] ^ 9' 9' : C[x :^ x']9' ,a ^ p 



9:tf[x]iB,C),a ^ p 

However, because B is negated-disjunction, every computation in the pessimistic 
semantics with substitution and goal stack {9 : B[x :— x'],a') must contain a 



substitution and goal stack {9' : a'). (See Lemma 4.6 of (Andrews, 1997).) Thus we 



have the following computation with the transformed formula: 

9' : C[x := x']9',a9' ^ p 



B[x := f], C[x :— x'],a ^ p 
9 : (S&C)[x := x'],a ^ p 



9 : 3x{BkC),a p 



However, since 9' applies only to the free variables of B[x := x'], which are x', 
and a does not contain these variables, the topmost judgement is equivalent to 
{9' : C[x := x']9' ,a => p). 

Otherwise, {9 : B[x := x'] p) where p is fail or diverge. In this subcase, the 
bottom of the original computation is as follows: 

9 : B[x := x'] ^ p 



9:if[x]{B,C),a^ p 
The bottom of the computation with the transformed formula is as follows: 



60 James H. Andrews 

: B[x := x'], C[x := x'],a p 



6: {BkG)[x:=x'],a^ p 



e : 3x{BkC),a ^ p 

The presence of the extra formulas {C[x := x'] and a) has no effect on the compu- 
tation. □ 



